• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Oracle Database Access Restriction Bypass Vulnerability

Oracle Database is susceptible to a vulnerability that allows attackers to bypass access restrictions. This issue is due to a failure of the application to properly enforce read-only privileges for user roles in certain circumstances.

To exploit this issue, a user must have 'CREATE VIEW' and 'CREATE DATABASE LINK' privileges. Also, the base table must have a primary key.

This issue allows attackers to modify data stored in affected databases, even if they are granted just read-only access. This may allow them to gain elevated privileges in the database.

Oracle versions 9.2.0.0 through 10.2.0.3 are affected by this issue.

This issue was originally disclosed by the vendor via Metalink, under the title "363848.1 - A User with SELECT Object Privilege on Base Tables Can Delete Rows from a View". This article has reportedly been removed since its initial disclosure.