CVE-2008-3979 - OpenCVE

Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. NOTE: the previous information was obtained from the January 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a SQL injection vulnerability that allows remote authenticated users to gain MDSYS privileges via the MDSYS.SDO_TOPO_DROP_FTBL trigger.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Database 10g

Configuration 1 [-]

OR	cpe:2.3:a:oracle:database_10g:10.1.0.5:::::::*
	cpe:2.3:a:oracle:database_10g:10.2.0.2:::::::*

No data.

References

Link	Providers
http://osvdb.org/51354
http://secunia.com/advisories/33525
http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.html
http://www.securityfocus.com/archive/1/500061/100/0/threaded
http://www.securityfocus.com/bid/33177
http://www.securitytracker.com/id?1021561
http://www.vupen.com/english/advisories/2009/0115
https://www.exploit-db.com/exploits/8074

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2009-01-14T01:00:00

Updated: 2024-08-07T10:00:41.930Z

Reserved: 2008-09-09T00:00:00

Link: CVE-2008-3979

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-01-14T01:30:00.453

Modified: 2018-10-11T20:50:36.530

Link: CVE-2008-3979

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-01-13T00:00:00", "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. NOTE: the previous information was obtained from the January 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a SQL injection vulnerability that allows remote authenticated users to gain MDSYS privileges via the MDSYS.SDO_TOPO_DROP_FTBL trigger."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "51354", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/51354"}, {"name": "33525", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33525"}, {"name": "1021561", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1021561"}, {"name": "ADV-2009-0115", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/0115"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.html"}, {"name": "33177", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/33177"}, {"name": "8074", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/8074"}, {"name": "20090113 Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/500061/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2008-3979", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. NOTE: the previous information was obtained from the January 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a SQL injection vulnerability that allows remote authenticated users to gain MDSYS privileges via the MDSYS.SDO_TOPO_DROP_FTBL trigger."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "51354", "refsource": "OSVDB", "url": "http://osvdb.org/51354"}, {"name": "33525", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33525"}, {"name": "1021561", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1021561"}, {"name": "ADV-2009-0115", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/0115"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.html"}, {"name": "33177", "refsource": "BID", "url": "http://www.securityfocus.com/bid/33177"}, {"name": "8074", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/8074"}, {"name": "20090113 Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/500061/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T10:00:41.930Z"}, "title": "CVE Program Container", "references": [{"name": "51354", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/51354"}, {"name": "33525", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/33525"}, {"name": "1021561", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1021561"}, {"name": "ADV-2009-0115", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/0115"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.html"}, {"name": "33177", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/33177"}, {"name": "8074", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/8074"}, {"name": "20090113 Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/500061/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2008-3979", "datePublished": "2009-01-14T01:00:00", "dateReserved": "2008-09-09T00:00:00", "dateUpdated": "2024-08-07T10:00:41.930Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:database_10g:10.1.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "AB9DC5FD-9892-47BD-8F35-A3D4556952A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:database_10g:10.2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "62D38CEF-DC3A-4467-BB9E-1B3DF0DEEFCC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. NOTE: the previous information was obtained from the January 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a SQL injection vulnerability that allows remote authenticated users to gain MDSYS privileges via the MDSYS.SDO_TOPO_DROP_FTBL trigger."}, {"lang": "es", "value": "Una vulnerabilidad no especificada en el componente Oracle Spatial en Oracle Database versiones 10.1.0.5 y 10.2.0.2, permite a los usuarios autenticados remotos afectar a la confidencialidad e integridad por medio de vectores desconocidos. NOTA: la informaci\u00f3n anterior fue obtenida de la CPU de enero de 2009. Oracle no ha comentado sobre las afirmaciones de investigadores confiables de que este problema es una vulnerabilidad de inyecci\u00f3n SQL que permite a los usuarios autenticados remotos alcanzar privilegios MDSYS por medio de la activaci\u00f3n de MDSYS.SDO_TOPO_DROP_FTBL."}], "id": "CVE-2008-3979", "lastModified": "2018-10-11T20:50:36.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-01-14T01:30:00.453", "references": [{"source": "secalert_us@oracle.com", "url": "http://osvdb.org/51354"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/33525"}, {"source": "secalert_us@oracle.com", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.html"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/archive/1/500061/100/0/threaded"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/bid/33177"}, {"source": "secalert_us@oracle.com", "url": "http://www.securitytracker.com/id?1021561"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/0115"}, {"source": "secalert_us@oracle.com", "url": "https://www.exploit-db.com/exploits/8074"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}