Published: 21/01/2015 Updated: 28/11/2016

CVSS v2 Base Score: 6.8 | Impact Score: 6.9 | Exploitability Score: 8

VMScore: 605

Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N

Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows malicious users to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.

Vulnerable Product	Search on Vulmon	Subscribe to Product
oracle database server 12.1.0.1
oracle database server 12.1.0.2
oracle database server 11.2.0.3
oracle database server 11.2.0.4

Automated Oracle CVE-2014-6577 exploitation via SQLi

oracle-xxe-sqli Automated Oracle CVE-2014-6577 exploitation via SQLi Usage: oracle-xxe-sqlipy [-h] [-i IP] [-p PORT] [--disable-server] [--custom-headers CUSTOM_HEADERS] [-f PAYLOAD_FILE] url Options positional arguments: url URL to inject Use * as the injection marker, just once optional arguments: -h, --help

NVD-CWE-noinfo http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html https://blog.netspi.com/advisory-xxe-injection-oracle-database-cve-2014-6577/http://www.securitytracker.com/id/1031572 http://www.securityfocus.com/bid/72139 https://nvd.nist.gov https://github.com/SecurityArtWork/oracle-xxe-sqli

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2014-6577

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect