CVE-2020-2737 in Oracleinfo

Summary

by MITRE

Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having Create Session, Execute Catalog Role privilege with network access via Oracle Net to compromise Core RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Core RDBMS. CVSS 3.0 Base Score 6.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/08/2025

The vulnerability identified as CVE-2020-2737 resides within Oracle Database Server's Core RDBMS component, representing a significant security weakness that affects multiple versions including 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c. This vulnerability falls under the category of privilege escalation and remote code execution risks, with the Common Weakness Enumeration classification aligning with CWE-269 Privilege Management Issues. The attack vector requires network access through Oracle Net protocol, making it accessible to attackers who can establish connections to the database server. The CVSS score of 6.4 indicates a medium to high severity threat level with substantial impacts across confidentiality, integrity, and availability domains.

The technical flaw manifests when an attacker possesses specific privileges including Create Session and Execute Catalog Role permissions, combined with network access capabilities. This vulnerability operates at the database core level, meaning it targets fundamental database operations and processes rather than surface-level applications. The requirement for high privileged access indicates that the attack path involves leveraging existing legitimate database user accounts with sufficient permissions to execute potentially malicious operations. The difficulty to exploit classification suggests that while not trivial, the vulnerability can be successfully weaponized by determined attackers who understand the specific privilege requirements and network conditions needed.

The operational impact of successful exploitation can result in complete takeover of the Core RDBMS, which represents a catastrophic outcome for database security. This compromise allows attackers to gain full control over database operations, potentially leading to data exfiltration, modification of critical business data, disruption of database services, and establishment of persistent access points. The requirement for human interaction from a person other than the attacker indicates that while the vulnerability itself is exploitable, additional social engineering or user interaction elements may be necessary to complete the attack chain. This aspect of the vulnerability aligns with ATT&CK technique T1078 Valid Accounts, where adversaries leverage legitimate credentials to access systems.

Organizations should implement immediate mitigations including patching affected database versions to the latest Oracle Database releases, enforcing strict network access controls to limit Oracle Net connectivity, and implementing principle of least privilege for database user accounts. Database administrators should conduct comprehensive privilege reviews to ensure that only necessary users possess Create Session and Execute Catalog Role permissions. Network segmentation and firewall rules should restrict access to database ports to only trusted networks and systems. The vulnerability's classification under CVSS 3.0 vector AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H demonstrates that the attack requires network access with high complexity, high privilege requirements, and user interaction, but the potential consequences are severe enough to warrant immediate remediation efforts. Organizations should also monitor database audit logs for suspicious activities and implement intrusion detection systems to identify potential exploitation attempts against this vulnerability.

Responsible

Oracle

Reservation

12/10/2019

Moderation

accepted

CPE

ready

EPSS

0.01031

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!