Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-6065Oracle Database Server vulnerability

4 documents4 sources
Severity
5.1MEDIUMNVD
CNA6.0
EPSS
6.0%
top 9.26%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Oracle Database Server
Timeline
PublishedFeb 5
Latest updateMay 14

Description

Oracle Database Server 10.1, 10.2, and 11g grants directory WRITE permissions for arbitrary pathnames that are aliased in a CREATE OR REPLACE DIRECTORY statement, which allows remote authenticated users with CREATE ANY DIRECTORY privileges to gain SYSDBA privileges by aliasing the pathname of the password directory, and then overwriting the password file through UTL_FILE operations, a related issue to CVE-2006-7141.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages1 packages

NVDoracle/database_server10.1, 10.2, 11+2

🔴Vulnerability Details

2
GHSA
GHSA-j3hv-8587-44rm: Oracle Database Server 102022-05-14
CVEList
CVE-2008-6065: Oracle Database Server 102009-02-05

💥Exploits & PoCs

1
Exploit-DB
Oracle Database Server 11.1 - 'CREATE ANY Directory' Privilege Escalation2008-10-13
CVE-2008-6065 — Oracle Database Server vulnerability | cvebase