The package DBMS_AQADM_SYS contains a SQL injection vulnerability. Oracle versions 9.2.0.8 through 10.2.0.3 are affected.
7794e9874a4f543ae4589f703f2f702dc64a787fe98e19f45a20c036e3247932SQL Injection in package DBMS_AQADM_SYS
Name SQL Injection in package DBMS_AQADM_SYS [CVE-2009-0977]
Systems Affected Oracle 9.2.0.8 - 10.2.0.3
Severity Medium Risk
Category SQL Injection
Vendor URL https://www.oracle.com/
Author Franz Hüll (fh at red-database-security.com)
CVE CVE-2009-0977
Advisory 14 April 2009 (V 1.00)
Details
The package DBMS_AQADM_SYS contains a SQL injection vulnerability.
PROCEDURE GRANT_TYPE_ACCESS( USER_NAME IN VARCHAR2) IS
GRANT_TXT VARCHAR2(100);
GRANT_OPT VARCHAR2(20) := ' with grant option';
BEGIN
EXECUTE_STMT( 'grant execute on sys.aq$_agent to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_dequeue_history to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_subscribers to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_recipients to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_history to '|| USER_NAME||GRANT_OPT);
EXECUTE_STMT('grant execute on sys.aq$_dequeue_history to '|| USER_NAME||GRANT_OPT);
[...]
Patch Information
Apply the patches for Oracle CPU April 2009.
History
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0977]
14-apr-2009 Advisory published
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed