CVE-2010-3600 - OpenCVE

Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Database Server Enterprise Manager Grid Control

Configuration 1 [-]

OR	cpe:2.3:a:oracle:database_server:11.1.0.7:::::::*
	cpe:2.3:a:oracle:database_server:11.2.0.1:::::::*
	cpe:2.3:a:oracle:enterprise_manager_grid_control:10.2.0.5:::::::*

No data.

References

Link	Providers
http://secunia.com/advisories/42895
http://secunia.com/advisories/42921
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://www.securityfocus.com/bid/45883
http://www.securitytracker.com/id?1024972
http://www.vupen.com/english/advisories/2011/0139
http://www.vupen.com/english/advisories/2011/0140
http://www.zerodayinitiative.com/advisories/ZDI-11-018/
https://exchange.xforce.ibmcloud.com/vulnerabilities/64755

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2011-01-19T15:00:00

Updated: 2024-08-07T03:18:52.489Z

Reserved: 2010-09-20T00:00:00

Link: CVE-2010-3600

Vulnrichment

No data.

NVD

Status : Modified

Published: 2011-01-19T16:00:03.000

Modified: 2017-08-17T01:33:00.447

Link: CVE-2010-3600

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-01-18T00:00:00", "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-16T14:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "ADV-2011-0139", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2011/0139"}, {"name": "1024972", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1024972"}, {"name": "45883", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/45883"}, {"name": "42895", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/42895"}, {"name": "oracle-db-gridcontrol-unspecified(64755)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64755"}, {"name": "42921", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/42921"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zerodayinitiative.com/advisories/ZDI-11-018/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"}, {"name": "ADV-2011-0140", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2011/0140"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2010-3600", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2011-0139", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2011/0139"}, {"name": "1024972", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1024972"}, {"name": "45883", "refsource": "BID", "url": "http://www.securityfocus.com/bid/45883"}, {"name": "42895", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/42895"}, {"name": "oracle-db-gridcontrol-unspecified(64755)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64755"}, {"name": "42921", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/42921"}, {"name": "http://www.zerodayinitiative.com/advisories/ZDI-11-018/", "refsource": "MISC", "url": "http://www.zerodayinitiative.com/advisories/ZDI-11-018/"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"}, {"name": "ADV-2011-0140", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2011/0140"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T03:18:52.489Z"}, "title": "CVE Program Container", "references": [{"name": "ADV-2011-0139", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2011/0139"}, {"name": "1024972", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1024972"}, {"name": "45883", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/45883"}, {"name": "42895", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/42895"}, {"name": "oracle-db-gridcontrol-unspecified(64755)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64755"}, {"name": "42921", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/42921"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.zerodayinitiative.com/advisories/ZDI-11-018/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"}, {"name": "ADV-2011-0140", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2011/0140"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2010-3600", "datePublished": "2011-01-19T15:00:00", "dateReserved": "2010-09-20T00:00:00", "dateUpdated": "2024-08-07T03:18:52.489Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:database_server:11.1.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "EDEDE937-C3D7-421C-9F70-F546AB823E1D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:database_server:11.2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "378CCC72-84CB-45E7-A832-516D69510540", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_grid_control:10.2.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "0C20B70E-13D8-4D80-A87F-16072661B795", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code."}, {"lang": "es", "value": "Una vulnerabilidad no especificada en el componente Client System Analyzer en Database Server versiones 11.1.0.7 y 11.2.0.1 y Enterprise Manager Grid Control versi\u00f3n 10.2.0.5, de Oracle, permite a los atacantes remotos afectar la confidencialidad, integridad y disponibilidad por medio de vectores desconocidos. NOTA: la informaci\u00f3n anterior fue obtenida de la CPU de enero de 2011. Oracle no ha comentado las afirmaciones de un coordinador de terceros confiable de que este problema involucra un script JSP expuesto que acepta cargas XML junto con bytes NULL en un par\u00e1metro no especificado que permite la ejecuci\u00f3n de c\u00f3digo arbitrario ."}], "id": "CVE-2010-3600", "lastModified": "2017-08-17T01:33:00.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2011-01-19T16:00:03.000", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/42895"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/42921"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/bid/45883"}, {"source": "secalert_us@oracle.com", "url": "http://www.securitytracker.com/id?1024972"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2011/0139"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2011/0140"}, {"source": "secalert_us@oracle.com", "url": "http://www.zerodayinitiative.com/advisories/ZDI-11-018/"}, {"source": "secalert_us@oracle.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64755"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}