CVE-2003-0095

Current Description

Buffer overflow in ORACLE.EXE for Oracle Database Server 9i, 8i, 8.1.7, and 8.0.6 allows remote attackers to execute arbitrary code via a long username that is provided during login, as exploitable through client applications that perform their own authentication, as demonstrated using LOADPSP.

Basic Data

PublishedMarch 03, 2003
Last ModifiedOctober 18, 2016
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-119
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score10.0
SeverityHIGH
Exploitability Score10.0
Impact Score10.0
Obtain All Privilegetrue
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOracleDatabase Server8.0.6*******
    2.3ApplicationOracleDatabase Server9.2.1*******
    2.3ApplicationOracleDatabase Server9.2.2*******
    2.3ApplicationOracleOracle8i8.1.7*******
    2.3ApplicationOracleOracle8i8.1.7.1*******
    2.3ApplicationOracleOracle9i9.0*******
    2.3ApplicationOracleOracle9i9.0.1*******
    2.3ApplicationOracleOracle9i9.0.1.2*******
    2.3ApplicationOracleOracle9i9.0.1.3*******
    2.3ApplicationOracleOracle9i9.0.2*******

Vulnerable Software List

VendorProductVersions
Oracle Database Server 8.0.6, 9.2.1, 9.2.2
Oracle Oracle9i 9.0, 9.0.1, 9.0.1.2, 9.0.1.3, 9.0.2
Oracle Oracle8i 8.1.7, 8.1.7.1

References

NameSourceURLTags
20030217 Oracle unauthenticated remote system compromise (#NISR16022003a)http://marc.info/?l=bugtraq&m=104549693426042&w=2BUGTRAQ
http://otn.oracle.com/deploy/security/pdf/2003alert51.pdfhttp://otn.oracle.com/deploy/security/pdf/2003alert51.pdfCONFIRMPatch Vendor Advisory
CA-2003-05http://www.cert.org/advisories/CA-2003-05.htmlCERTThird Party Advisory US Government Resource
N-046http://www.ciac.org/ciac/bulletins/n-046.shtmlCIAC
oracle-username-bo(11328)http://www.iss.net/security_center/static/11328.phpXFVendor Advisory
VU#953746http://www.kb.cert.org/vuls/id/953746CERT-VNUS Government Resource
6319http://www.osvdb.org/6319OSVDB
6849http://www.securityfocus.com/bid/6849BID