Oracle Database Server up to 19.26/21.17/23.7 RAS Security improper authorization

Summaryinfo

A vulnerability was found in Oracle Database Server up to 19.26/21.17/23.7. It has been classified as critical. This affects an unknown part of the component RAS Security Component. Performing a manipulation results in improper authorization. This vulnerability is identified as CVE-2025-30701. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as critical has been found in Oracle Database Server up to 19.26/21.17/23.7. This affects an unknown code block of the component RAS Security Component. The manipulation with an unknown input leads to a improper authorization vulnerability. CWE is classifying the issue as CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Vulnerability in the RAS Security component of Oracle Database Server. Supported versions that are affected are 19.3-19.26, 21.3-21.17 and 23.4-23.7. Easily exploitable vulnerability allows low privileged attacker having User Account privilege with network access via Oracle Net to compromise RAS Security. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all RAS Security accessible data as well as unauthorized access to critical data or complete access to all RAS Security accessible data. CVSS 3.1 Base Score 7.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

It is possible to read the advisory at oracle.com. This vulnerability is uniquely identified as CVE-2025-30701 since 03/25/2025. The exploitability is told to be easy. It is possible to initiate the attack remotely. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 04/15/2025). The attack technique deployed by this issue is T1548.002 according to MITRE ATT&CK.

Upgrading eliminates this vulnerability.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Database Software

Vendor

• Oracle

Name

• Database Server

Version

• 19.0
• 19.1
• 19.2
• 19.3
• 19.4
• 19.5
• 19.6
• 19.7
• 19.8
• 19.9
• 19.10
• 19.11
• 19.12
• 19.13
• 19.14
• 19.15
• 19.16
• 19.17
• 19.18
• 19.19
• 19.20
• 19.21
• 19.22
• 19.23
• 19.24
• 19.25
• 19.26
• 21.0
• 21.1
• 21.2
• 21.3
• 21.4
• 21.5
• 21.6
• 21.7
• 21.8
• 21.9
• 21.10
• 21.11
• 21.12
• 21.13
• 21.14
• 21.15
• 21.16
• 21.17
• 23.0
• 23.1
• 23.2
• 23.3
• 23.4
• 23.5
• 23.6
• 23.7

License

• commercial

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion