CVE-2009-0993 - Vulnerability Details - OpenCVE

Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Application Server

Configuration 1 [-]

cpe:2.3:a:oracle:application_server:10.1.2.3.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://secunia.com/advisories/34693
http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
http://www.securityfocus.com/archive/1/502683/100/0/threaded
http://www.securityfocus.com/bid/34461
http://www.securitytracker.com/id?1022055
http://www.us-cert.gov/cas/techalerts/TA09-105A.html
http://www.zerodayinitiative.com/advisories/ZDI-09-017
https://exchange.xforce.ibmcloud.com/vulnerabilities/50030

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2009-04-15T10:00:00

Updated: 2024-08-07T04:57:17.507Z

Reserved: 2009-03-19T00:00:00

Link: CVE-2009-0993

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-04-15T10:30:00.687

Modified: 2024-11-21T01:01:24.867

Link: CVE-2009-0993

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-04-14T00:00:00", "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-10T18:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "1022055", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1022055"}, {"name": "34461", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/34461"}, {"name": "34693", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34693"}, {"name": "TA09-105A", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"}, {"name": "oracle-appserver-opmn-unspecified(50030)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"}, {"name": "20090414 ZDI-09-017: Oracle Applications Server 10g Format String Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2009-0993", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1022055", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1022055"}, {"name": "34461", "refsource": "BID", "url": "http://www.securityfocus.com/bid/34461"}, {"name": "34693", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34693"}, {"name": "TA09-105A", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"}, {"name": "http://www.zerodayinitiative.com/advisories/ZDI-09-017", "refsource": "MISC", "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"}, {"name": "oracle-appserver-opmn-unspecified(50030)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"}, {"name": "20090414 ZDI-09-017: Oracle Applications Server 10g Format String Vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T04:57:17.507Z"}, "title": "CVE Program Container", "references": [{"name": "1022055", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1022055"}, {"name": "34461", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/34461"}, {"name": "34693", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34693"}, {"name": "TA09-105A", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"}, {"name": "oracle-appserver-opmn-unspecified(50030)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"}, {"name": "20090414 ZDI-09-017: Oracle Applications Server 10g Format String Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2009-0993", "datePublished": "2009-04-15T10:00:00", "dateReserved": "2009-03-19T00:00:00", "dateUpdated": "2024-08-07T04:57:17.507Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:application_server:10.1.2.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "415018EB-2D62-49B5-BBBE-E8276400A1BB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log."}, {"lang": "es", "value": "Vulnerabilidad sin especificar en el componente OPMN en Oracle Application Server v10.1.2.3 permite a atacantes remotos afectar a la confidencialidad, la disponibilidad, y la integridad a trav\u00e9s de vectores desconocidos."}], "id": "CVE-2009-0993", "lastModified": "2024-11-21T01:01:24.867", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-04-15T10:30:00.687", "references": [{"source": "secalert_us@oracle.com", "url": "http://secunia.com/advisories/34693"}, {"source": "secalert_us@oracle.com", "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/bid/34461"}, {"source": "secalert_us@oracle.com", "url": "http://www.securitytracker.com/id?1022055"}, {"source": "secalert_us@oracle.com", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"}, {"source": "secalert_us@oracle.com", "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"}, {"source": "secalert_us@oracle.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/34693"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/34461"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id?1022055"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}