A vulnerability was found in Oracle Database 11.2.0.4/12.1.0.2/12.2.0.1/18c/19c (Database Software) and classified as critical. This issue affects an unknown function of the component Core RDBMS. The manipulation with an unknown input leads to a privilege escalation vulnerability. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having Create Session, Execute Catalog Role privilege with network access via Oracle Net to compromise Core RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Core RDBMS. CVSS 3.0 Base Score 6.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

The weakness was presented 04/15/2020 as Oracle Critical Patch Update Advisory - April 2020 as confirmed advisory (Website). The advisory is shared at oracle.com. The identification of this vulnerability is CVE-2020-2737. The exploitation is known to be difficult. The attack may be initiated remotely. Additional levels of successful authentication are necessary for exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

See 153686, 153290, 153291 and 153292 for similar entries.

Productinfo

Type

• Database Software

Vendor

• Oracle

Name

• Database

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion