CVE-2010-3600

2011-01-1916:00:03

oracle

web.nvd.nist.gov

cve-2010-3600

oracle

database server

enterprise manager

unspecified vulnerability

remote attackers

confidentiality

integrity

availability

arbitrary code execution

nvd

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.2

Confidence

Low

EPSS

0.972

Percentile

99.9%

JSON

Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code.

Affected configurations

Nvd

Node

oracledatabase_serverMatch11.1.0.7

oracledatabase_serverMatch11.2.0.1

oracleenterprise_manager_grid_controlMatch10.2.0.5

VendorProductVersionCPE
oracledatabase_server11.1.0.7cpe:2.3:a:oracle:database_server:11.1.0.7:*:*:*:*:*:*:*
oracledatabase_server11.2.0.1cpe:2.3:a:oracle:database_server:11.2.0.1:*:*:*:*:*:*:*
oracleenterprise_manager_grid_control10.2.0.5cpe:2.3:a:oracle:enterprise_manager_grid_control:10.2.0.5:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
oracle	database_server	11.1.0.7	cpe:2.3:a:oracle:database_server:11.1.0.7:::::::*
oracle	database_server	11.2.0.1	cpe:2.3:a:oracle:database_server:11.2.0.1:::::::*
oracle	enterprise_manager_grid_control	10.2.0.5	cpe:2.3:a:oracle:enterprise_manager_grid_control:10.2.0.5:::::::*