CVE-2009-1991 — SQL Injection in Oracle Database Server

4 documents4 sources

Severity

3.6LOWNVD

EPSS

0.7%

top 28.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Database Server

Timeline

PublishedOct 22

Latest updateMay 2

Description

Unspecified vulnerability in the Oracle Text component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity, related to CTXSYS.DRVXTABC. NOTE: the previous information was obtained from the October 2009 CPU. Oracle has not commented on claims from an established researcher that this is for multiple SQL injection vulnerabilities via the (1) idx_owner or (2) idx_name parameters to the create_tables procedure.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 3.9 | Impact: 4.9

Affected Packages1 packages

▶NVDoracle/database_server4 versions+3

🔴Vulnerability Details

GHSA

GHSA-633w-96qq-p94x: Unspecified vulnerability in the Oracle Text component in Oracle Database 9↗2022-05-02

▶

CVEList

CVE-2009-1991: Unspecified vulnerability in the Oracle Text component in Oracle Database 9↗2009-10-22

▶

🔍Detection Rules

Suricata

ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt↗2010-07-30

▶