CVE-2004-1362

3 documents3 sources

Severity

7.5HIGH

EPSS

4.0%

top 11.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Application Server Oracle Collaboration Suite Oracle E-business Suite +6 more

Timeline

PublishedAug 4

Latest updateApr 29

Description

The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages9 packages

▶NVDoracle/application_server11 versions+10

▶NVDoracle/oracle8i19 versions+18

▶NVDoracle/oracle9i36 versions+35

▶NVDoracle/oracle10g6 versions+5

▶NVDoracle/e-business_suite9 versions+8

Patches

Patch: www.ngssoftware.com ↗Patch: www.oracle.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-7qjg-gh78-xg4v: The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character c↗2022-04-29

▶

CVEList

CVE-2004-1362: The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character c↗2005-01-19

▶