SB2020041701 - Multiple vulnerabilities in Oracle Database Server 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020041701

SB2020041701 - Multiple vulnerabilities in Oracle Database Server

Published: April 17, 2020 Updated: November 20, 2021

Security Bulletin ID SB2020041701
Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 38% Low 38%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2020-2734)

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the RDBMS/Optimizer in Oracle Database Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.


2) Improper input validation (CVE-ID: CVE-2020-2514)

The vulnerability allows a remote authenticated user to manipulate or delete data.

The vulnerability exists due to improper input validation within the Oracle Application Express in Oracle Database Server. A remote authenticated user can exploit this vulnerability to manipulate or delete data.


3) Cross-site scripting (CVE-ID: CVE-2016-7103)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in jQuery UI before 1.12.0. A remote authenticated attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Improper input validation (CVE-ID: CVE-2019-2853)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Oracle Text in Oracle Database Server. A remote authenticated user can exploit this vulnerability to read and manipulate data.


5) Improper input validation (CVE-ID: CVE-2020-2737)

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core RDBMS in Oracle Database Server. A remote privileged user can exploit this vulnerability to execute arbitrary code.


6) Session Fixation (CVE-ID: CVE-2019-17563)

The vulnerability allows a remote attacker to perform a session fixation attack.

The vulnerability exists due to a race condition when FORM authentication is used in Apache Tomcat. A remote attacker can use a narrow window to perform a session fixation attack.


7) Improper input validation (CVE-ID: CVE-2016-10251)

The vulnerability allows a remote authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Oracle Multimedia in Oracle Database Server. A remote authenticated user can exploit this vulnerability to execute arbitrary code.


8) Improper input validation (CVE-ID: CVE-2020-2735)

The vulnerability allows a remote authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Java VM in Oracle Database Server. A remote authenticated user can exploit this vulnerability to execute arbitrary code.


Remediation

Install update from vendor's website.

References