CVE-2004-0385 : Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 allo

Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 allows remote attackers to execute arbitrary code via a long HTTP request method header to the Web Cache listener. NOTE: due to the vagueness of the Oracle advisory, it is not clear whether there are additional issues besides this overflow, although the advisory alludes to multiple "vulnerabilities."

Published 2004-06-01 04:00:00

Updated 2017-07-11 01:30:07

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Threat overview for CVE-2004-0385

Top countries where our scanners detected CVE-2004-0385

Top open port discovered on systems with this issue 80

IPs affected by CVE-2004-0385 17

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2004-0385!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2004-0385

Probability of exploitation activity in the next 30 days: 12.36%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 95 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2004-0385

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

References for CVE-2004-0385

http://marc.info/?l=bugtraq&m=108144419001770&w=2
http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf

Patch;Vendor Advisory
http://marc.info/?l=bugtraq&m=107945649127635&w=2
http://www.securityfocus.com/bid/9868
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0078.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/15463
http://www.kb.cert.org/vuls/id/413006

Patch;Third Party Advisory;US Government Resource
http://www.inaccessnetworks.com/ian/services/secadv01.txt

Vendor Advisory

Products affected by CVE-2004-0385

Oracle » E-business Suite » Version: 11I
cpe:2.3:a:oracle:e-business_suite:11i:*:*:*:*:*:*:*
Matching versions
Oracle » Application Server Web Cache » Version: 9.0.0.4.0
cpe:2.3:a:oracle:application_server_web_cache:9.0.0.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Application Server Web Cache » Version: 9.0.2.3.0
cpe:2.3:a:oracle:application_server_web_cache:9.0.2.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Application Server Web Cache » Version: 9.0.3.1.0
cpe:2.3:a:oracle:application_server_web_cache:9.0.3.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Application Server Web Cache » Version: 9.0.4.0.0
cpe:2.3:a:oracle:application_server_web_cache:9.0.4.0.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2004-0385

Threat overview for CVE-2004-0385

Exploit prediction scoring system (EPSS) score for CVE-2004-0385

CVSS scores for CVE-2004-0385

References for CVE-2004-0385

Products affected by CVE-2004-0385