Vulnerability Details : CVE-2012-3132
SQL injection vulnerability in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to execute arbitrary SQL commands via vectors involving CREATE INDEX with a CTXSYS.CONTEXT INDEXTYPE and DBMS_STATS.GATHER_TABLE_STATS.
Vulnerability category: Sql Injection
Products affected by CVE-2012-3132
- cpe:2.3:a:oracle:database_server:10.2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:10.2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:10.2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:11.1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:11.2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:11.2.0.3:*:*:*:*:*:*:*
Threat overview for CVE-2012-3132
Top countries where our scanners detected CVE-2012-3132
Top open port discovered on systems with this issue
1521
IPs affected by CVE-2012-3132 18,338
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2012-3132!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2012-3132
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-3132
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
N/A
|
N/A
|
Oracle:CVE-2012-3132 |
CWE ids for CVE-2012-3132
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-3132
-
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
Oracle Critical Patch Update - October 2012
-
http://www.teamshatter.com/topics/general/team-shatter-exclusive/ctxsys-context-privilege-escalation/
404 Not Found
-
https://blogs.oracle.com/security/entry/security_alert_cve_2012_3132
Oracle Blogs | Oracle Security BlogVendor Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
mandriva.com
-
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html
Oracle Security Alert CVE-2012-3132Vendor Advisory
-
http://www.networkworld.com/news/2012/072712-black-hat-shark-bitten-security-researcher-261203.html
Page not found
-
http://www.darkreading.com/database-security/167901020/security/news/240004776/hacking-oracle-database-indexes.html
Security Monitoring News, Analysis, Discussion, & ...
-
http://www.securitytracker.com/id?1027367
Oracle Database �INDEXTYPE CTXSYS.CONTEXT� Bug Lets Remote Authenticated Users Gain Elevated Privileges - SecurityTracker
Jump to