CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Oracle » Application Server : Security Vulnerabilities (CVSS score between 7 and 7.99)

CVSS Scores Greater Than: 0   1   2   3   4   5   6   7   8   9  
Copy Results Download Results Select Table
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2007-5525 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Single Sign-On component in Oracle Application Server 9.0.4.3, 10.1.2.0.2, 10.1.2.2, and 10.1.4.0.1; Collaboration Suite 10.1.2; and Enterprise Manager 10.1.2 has unknown impact and remote attack vectors, aka AS10.
2 CVE-2007-5524 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Single Sign-On component in Oracle Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2, and Collaboration Suite 10.1.2, has unknown impact and remote attack vectors, aka AS09 or AS9.
3 CVE-2007-5523 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Internet Directory component in Oracle Application Server 9.0.4.3, 10.1.2.0.2, 10.1.2.2, and 10.1.4.0, and Collaboration Suite 10.1.2, has unknown impact and remote attack vectors, aka AS08.
4 CVE-2007-5522 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 10.1.4.1 has unknown impact and remote attack vectors, aka AS07.
5 CVE-2007-5521 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Application Server 9.0.4.3, 10.1.2.0.2, 10.1.2.2, and 10.1.3.3, and Collaboration Suite 10.1.2, has unknown impact and remote attack vectors, aka AS06.
6 CVE-2007-5520 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Internet Directory component in Oracle Database 9.2.0.8 and 9.2.0.8DV, and Oracle Application Server 9.0.4.3, 10.1.3.0.0 up to 10.1.3.3.0, and 10.1.2.0.1 up to 10.1.2.2.0, has unknown impact and remote attack vectors, aka AS05.
7 CVE-2007-5519 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 9.0.4.3 and 10.1.2.0.2, and Collaboration Suite 10.1.2, has unknown impact and remote attack vectors, aka AS04.
8 CVE-2007-5518 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle HTTP Server component in Oracle Application Server 10.1.3.2 has unknown impact and remote attack vectors, aka AS03.
9 CVE-2007-5517 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 10.1.2.0.2 and 10.1.4.1, and Collaboration Suite 10.1.2, has unknown impact and remote attack vectors, aka AS02.
10 CVE-2007-5516 2007-10-17 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Process Mgmt & Notification component in Oracle Application Server 10.1.3.3 has unknown impact and remote attack vectors, aka AS01.
11 CVE-2007-3863 2007-07-18 2012-10-22
7.5
 User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle JDeveloper for Application Server 10.1.2.2 and 10.1.3.1, and Collaboration Suite 10.1.2, allows context-dependent attackers to have an unknown impact via custom applications that use JBO.SERVER, aka JDEV02.
12 CVE-2007-3862 2007-07-18 2012-10-22
7.5
 User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle Application Server 9.0.4.3 and 10.1.2.0.2 allows remote attackers to have an unknown impact via Oracle Single Sign On, aka AS01.
13 CVE-2007-3861 2007-07-18 2012-10-22
7.5
 User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle Jdeveloper in Oracle Application Server 10.1.2.2 and Collaboration Suite 10.1.2 allows context-dependent attackers to have an unknown impact via custom applications that use JBO.KEY, aka JDEV01.
14 CVE-2007-3859 2007-07-18 2012-10-22
7.5
 User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Internet Directory component for Oracle Database 9.2.0.8 and 9.2.0.8DV; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; and Collaboration Suite 10.1.2 has unknown impact and remote attack vectors, aka OID01.
15 CVE-2007-2120 399 2007-04-18 2012-10-22
7.8
 None Remote Low Not required None None Complete
The Oracle Discoverer servlet in Oracle Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2.0 allows remote attackers to shut down an Oracle TNS Listener via a TNS STOP commmand in a request that uses the database/TNS alias, aka AS01.
16 CVE-2007-0280 Overflow 2007-01-16 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.2, and 10.1.2.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN01. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that OPMN01 is for a buffer overflow in Oracle Notification Service (ONS).
17 CVE-2006-0586 89 Exec Code Sql 2006-02-07 2011-09-08
7.5
 User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Oracle 10g Release 1 before CPU Jan 2006 allow remote attackers to execute arbitrary SQL commands via multiple parameters in (1) ATTACH_JOB, (2) HAS_PRIVS, and (3) OPEN_JOB functions in the SYS.KUPV$FT package; and (4) UPDATE_JOB, (5) ACTIVE_JOB, (6) ATTACH_POSSIBLE, (7) ATTACH_TO_JOB, (8) CREATE_NEW_JOB, (9) DELETE_JOB, (10) DELETE_MASTER_TABLE, (11) DETACH_JOB, (12) GET_JOB_INFO, (13) GET_JOB_QUEUES, (14) GET_SOLE_JOBNAME, (15) MASTER_TBL_LOCK, and (16) VALID_HANDLE functions in the SYS.KUPV$FT_INT package. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that these issues has been addressed by Oracle. It is unclear which, if any, Oracle Vuln# identifiers apply to these issues.
18 CVE-2006-0552 2006-02-04 2012-10-22
7.5
 None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Net Listener component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, and 9.2.0.7 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB11.
19 CVE-2006-0435 Bypass 2006-01-26 2012-10-22
7.5
 User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle PL/SQL (PLSQL), as used in Database Server DS 9.2.0.7 and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, 10.1.2.0.2, 10.1.2.1.0, and 10.1.3.0.0, E-Business Suite and Applications 11.5.10, and Collaboration Suite 10.1.1, 10.1.2.0, 10.1.2.1, and 9.0.4.2, allows attackers to bypass the PLSQLExclusion list and access excluded packages and procedures, aka Vuln# PLSQL01.
20 CVE-2005-1495 2005-05-11 2008-09-05
7.5
 None Remote Low Not required Partial Partial Partial
Oracle Database 9i and 10g disables Fine Grained Audit (FGA) after the SYS user executes a SELECT statement on an FGA object, which makes it easier for attackers to escape detection.
21 CVE-2005-1383 Bypass 2005-05-03 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
The OHS component 1.0.2 through 10.x, when UseWebcacheIP is disabled, in Oracle Application Server allows remote attackers to bypass HTTP Server mod_access restrictions via a request to the webcache TCP port 7778.
22 CVE-2004-1774 Exec Code Overflow 2004-08-31 2010-02-06
7.2
 Admin Local Low Not required Complete Complete Complete
Buffer overflow in the SDO_CODE_SIZE procedure of the MD2 package (MDSYS.MD2.SDO_CODE_SIZE) in Oracle 10g before 10.1.0.2 Patch 2 allows local users to execute arbitrary code via a long LAYER parameter.
23 CVE-2004-1707 +Priv 2004-07-30 2008-09-05
7.2
 Admin Local Low Not required Complete Complete Complete
The (1) dbsnmp and (2) nmo programs in Oracle 8i, Oracle 9i, and Oracle IAS 9.0.2.0.1, on Unix systems, use a default path to find and execute library files while operating at raised privileges, which allows certain Oracle user accounts to gain root privileges via a modified libclntsh.so.9.0.
24 CVE-2004-1370 Exec Code +Priv Sql 2004-08-04 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in PL/SQL procedures that run with definer rights in Oracle 9i and 10g allow remote attackers to execute arbitrary SQL commands and gain privileges via (1) DBMS_EXPORT_EXTENSION, (2) WK_ACL.GET_ACL, (3) WK_ACL.STORE_ACL, (4) WK_ADM.COMPLETE_ACL_SNAPSHOT, (5) WK_ACL.DELETE_ACLS_WITH_STATEMENT, or (6) DRILOAD.VALIDATE_STMT.
25 CVE-2004-1368 2004-08-04 2008-09-05
7.8
 None Remote Low Not required Complete None None
ISQL*Plus in Oracle 10g Application Server allows remote attackers to execute arbitrary files via an absolute pathname in the file parameter to the load.uix script.
26 CVE-2004-1363 119 Exec Code Overflow 2004-08-04 2008-09-05
7.2
 Admin Local Low Not required Complete Complete Complete
Buffer overflow in extproc in Oracle 10g allows remote attackers to execute arbitrary code via environment variables in the library name, which are expanded after the length check is performed.
27 CVE-2004-1362 Bypass 2004-08-04 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters.
28 CVE-2002-2345 255 2002-12-31 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
Oracle 9i Application Server 9.0.2 stores the web cache administrator interface password in plaintext, which allows remote attackers to gain access.
29 CVE-2002-2153 Exec Code 2002-12-31 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
Format string vulnerability in the administrative pages of the PL/SQL module for Oracle Application Server 4.0.8 and 4.0.8 2 allows remote attackers to execute arbitrary code.
30 CVE-2002-1631 Exec Code Sql 2002-12-31 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the query.xsql sample page in Oracle 9i Application Server (9iAS) allows remote attackers to execute arbitrary code via the sql parameter.
31 CVE-2002-1630 2002-12-31 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
The sendmail.jsp sample page in Oracle 9i Application Server (9iAS) allows remote attackers to send arbitrary emails.
32 CVE-2002-0947 Exec Code Overflow 2002-10-04 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
Buffer overflow in rwcgi60 CGI program for Oracle Reports Server 6.0.8.18.0 and earlier, as used in Oracle9iAS and other products, allows remote attackers to execute arbitrary code via a long database name parameter.
33 CVE-2002-0843 DoS Exec Code Overflow 2002-10-11 2008-09-10
7.5
 User Remote Low Not required Partial Partial Partial
Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.
34 CVE-2002-0842 Exec Code 2003-03-03 2008-09-10
7.5
 User Remote Low Not required Partial Partial Partial
Format string vulnerability in certain third party modifications to mod_dav for logging bad gateway messages (e.g. Oracle9i Application Server 9.0.2) allows remote attackers to execute arbitrary code via a destination URI that forces a "502 Bad Gateway" response, which causes the format string specifiers to be returned from dav_lookup_uri() in mod_dav.c, which is then used in a call to ap_log_rerror().
35 CVE-2002-0656 Exec Code Overflow 2002-08-12 2008-09-10
7.5
 User Remote Low Not required Partial Partial Partial
Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.
36 CVE-2002-0655 DoS Exec Code 2002-08-12 2008-09-10
7.5
 User Remote Low Not required Partial Partial Partial
OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code.
37 CVE-2002-0569 Bypass 2002-07-03 2008-09-05
7.5
 None Remote Low Not required Partial Partial Partial
Oracle 9i Application Server allows remote attackers to bypass access restrictions for configuration files via a direct request to the XSQL Servlet (XSQLServlet).
38 CVE-2002-0564 Bypass 2002-07-03 2008-09-05
7.5
 None Remote Low Not required Partial Partial Partial
PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allows remote attackers to bypass authentication for a Database Access Descriptor (DAD) by modifying the URL to reference an alternate DAD that already has valid credentials.
39 CVE-2002-0561 +Priv 2002-07-03 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
The default configuration of the PL/SQL Gateway web administration interface in Oracle 9i Application Server 1.0.2.x uses null authentication, which allows remote attackers to gain privileges and modify DAD settings.
40 CVE-2002-0559 DoS Exec Code Overflow 2002-07-03 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
Buffer overflows in PL/SQL module 3.0.9.8.2 in Oracle 9i Application Server 1.0.2.x allow remote attackers to cause a denial of service or execute arbitrary code via (1) a long help page request without a dadname, which overflows the resulting HTTP Location header, (2) a long HTTP request to the plsql module, (3) a long password in the HTTP Authorization, (4) a long Access Descriptor (DAD) password in the addadd form, or (5) a long cache directory name.
41 CVE-2001-1371 264 2002-02-06 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
The default configuration of Oracle Application Server 9iAS 1.0.2.2 enables SOAP and allows anonymous users to deploy applications by default via urn:soap-service-manager and urn:soap-provider-manager.
42 CVE-2001-1216 Exec Code Overflow 2001-12-21 2008-09-05
7.5
 User Remote Low Not required Partial Partial Partial
Buffer overflow in PL/SQL Apache module in Oracle 9i Application Server allows remote attackers to execute arbitrary code via a long request for a help page.
43 CVE-2001-0591 Dir. Trav. 2001-08-22 2008-09-10
7.5
 User Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in Oracle JSP 1.0.x through 1.1.1 and Oracle 8.1.7 iAS Release 1.0.2 can allow a remote attacker to read or execute arbitrary .jsp files via a '..' (dot dot) attack.
44 CVE-2001-0419 Exec Code Overflow 2001-07-02 2008-09-05
7.5
 None Remote Low Not required Partial Partial Partial
Buffer overflow in shared library ndwfn4.so for iPlanet Web Server (iWS) 4.1, when used as a web listener for Oracle application server 4.0.8.2, allows remote attackers to execute arbitrary commands via a long HTTP request that is passed to the application server, such as /jsp/.
45 CVE-2001-0326 2001-05-03 2008-09-05
7.5
 None Remote Low Not required Partial Partial Partial
Oracle Java Virtual Machine (JVM ) for Oracle 8.1.7 and Oracle Application Server 9iAS Release 1.0.2.0.1 allows remote attackers to read arbitrary files via the .jsp and .sqljsp file extensions when the server is configured to use the <<ALL FILES>> FilePermission.
46 CVE-2000-1236 Exec Code Sql 2000-12-31 2008-09-10
7.5
 User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in mod_sql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the query string of the URL.
47 CVE-2000-0169 Exec Code 2000-03-15 2008-09-10
7.5
 User Remote Low Not required Partial Partial Partial
Batch files in the Oracle web listener ows-bin directory allow remote attackers to execute commands via a malformed URL that includes '?&'.
Total number of vulnerabilities : 47   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.