CVE-2004-1370

Name of the Vulnerable Software and Affected Versions: Oracle versions 9i through 10g

Description: The issue concerns SQL injection vulnerabilities in PL/SQL procedures that run with definer rights. These vulnerabilities allow remote attackers to execute arbitrary SQL commands and gain privileges. The affected procedures include DBMS EXPORT EXTENSION, WK ACL.GET ACL, WK ACL.STORE ACL, WK ADM.COMPLETE ACL SNAPSHOT, WK ACL.DELETE ACLS WITH STATEMENT, and DRILOAD.VALIDATE STMT.

Recommendations: For Oracle versions 9i through 10g, consider restricting access to the vulnerable procedures until a patch is available. As a temporary workaround, consider disabling the DBMS EXPORT EXTENSION, WK ACL.GET ACL, WK ACL.STORE ACL, WK ADM.COMPLETE ACL SNAPSHOT, WK ACL.DELETE ACLS WITH STATEMENT, and DRILOAD.VALIDATE STMT procedures to minimize the risk of exploitation. Avoid using these procedures in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.