cbcvebase.
CVE-2013-5795
published 2014-01-15

CVE-2013-5795: Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.1…

PriorityP351medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
59.49%
99.0th percentile
Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.1, 12.2.2, and 12.2.3 allows remote attackers to affect confidentiality via unknown vectors related to DM Others.

Affected

6 ranges
VendorProductVersion rangeFixed in
oraclesupply_chain_products_suite
oraclesupply_chain_products_suite_sql-server
oraclesupply_chain_products_suite_sql-server
oraclesupply_chain_products_suite_sql-server
oraclesupply_chain_products_suite_sql-server
oraclesupply_chain_products_suite_sql-server

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://target.com:8080/demantra/ServerDetailsServlet?UAK=
path/demantra/ServerDetailsServlet
other406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1
  • Monitor HTTP requests to /demantra/ServerDetailsServlet with a UAK query parameter — this endpoint leaks database credentials to unauthenticated callers.
  • The static UAK key value 406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1 is computed deterministically from hardcoded seed 'er6Us8wB' — alert on any request containing this exact value in the UAK parameter.
  • The exploit is usable by unauthenticated remote attackers; look for unauthenticated GET requests to ServerDetailsServlet in web/application server logs.
  • ·The UAK key is computed statically from the hardcoded seed string 'er6Us8wB' using SHA-256; it does not change between deployments, making the attack fully reproducible against any unpatched instance.
  • ·Affected versions span multiple SQL-Server and non-SQL-Server builds (7.2.0.3, 7.3.0, 7.3.1, 12.2.1, 12.2.2, 12.2.3); the Metasploit module specifically targets 12.2.1 but the credential-leak endpoint is present across all listed versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.