CVE-2002-1631

SQL injection vulnerability in the query.xsql sample page in Oracle 9i Application Server (9iAS) allows remote attackers to execute arbitrary code via the sql parameter.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.nextgenss.com/papers/hpoas.pdf	Exploit Patch
http://www.kb.cert.org/vuls/id/SVIM-576QLZ	US Government Resource
http://www.oracle.com/technology/deploy/security/pdf/ias_modplsql_alert.pdf
http://www.kb.cert.org/vuls/id/717827	Patch US Government Resource
http://www.securityfocus.com/bid/6556

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oracle:application_server:9.0.2.0.0:::::::*
	cpe:2.3:a:oracle:application_server:1.0.2:::::::*
	cpe:2.3:a:oracle:application_server:1.0.2.1s:::::::*
	cpe:2.3:a:oracle:application_server:1.0.2.2:::::::*
	cpe:2.3:a:oracle:application_server:9.0.2.0.1:::::::*

Information

Published : 2002-12-30 21:00

Updated : 2008-09-05 13:31

NVD link : CVE-2002-1631

Mitre link : CVE-2002-1631

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

oracle

application_server

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.nextgenss.com/papers/hpoas.pdf", "name": "http://www.nextgenss.com/papers/hpoas.pdf", "tags": ["Exploit", "Patch"], "refsource": "MISC"}, {"url": "http://www.kb.cert.org/vuls/id/SVIM-576QLZ", "name": "http://www.kb.cert.org/vuls/id/SVIM-576QLZ", "tags": ["US Government Resource"], "refsource": "CONFIRM"}, {"url": "http://www.oracle.com/technology/deploy/security/pdf/ias_modplsql_alert.pdf", "name": "http://www.oracle.com/technology/deploy/security/pdf/ias_modplsql_alert.pdf", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.kb.cert.org/vuls/id/717827", "name": "VU#717827", "tags": ["Patch", "US Government Resource"], "refsource": "CERT-VN"}, {"url": "http://www.securityfocus.com/bid/6556", "name": "6556", "tags": [], "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "SQL injection vulnerability in the query.xsql sample page in Oracle 9i Application Server (9iAS) allows remote attackers to execute arbitrary code via the sql parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2002-1631", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2002-12-31T05:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:application_server:9.0.2.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:application_server:1.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:application_server:1.0.2.1s:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:application_server:1.0.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:oracle:application_server:9.0.2.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2008-09-05T20:31Z"}