CVE-2006-0586

Name of the Vulnerable Software and Affected Versions Oracle 10g Release 1 versions prior to CPU Jan 2006

Description The issue allows remote attackers to execute arbitrary SQL commands via multiple parameters in various functions. This is achieved through SQL injection vulnerabilities in the SYS.KUPV$FT package, specifically in the ATTACH JOB, HAS PRIVS, and OPEN JOB functions, and in the SYS.KUPV$FT INT package, affecting functions such as UPDATE JOB, ACTIVE JOB, ATTACH POSSIBLE, ATTACH TO JOB, CREATE NEW JOB, DELETE JOB, DELETE MASTER TABLE, DETACH JOB, GET JOB INFO, GET JOB QUEUES, GET SOLE JOBNAME, MASTER TBL LOCK, and VALID HANDLE. The estimated number of potentially affected devices and details about real-world incidents are not provided.

Recommendations For Oracle 10g Release 1 versions prior to CPU Jan 2006, consider applying the CPU Jan 2006 patch to address the SQL injection vulnerabilities in the affected packages. As a temporary workaround, restrict access to the vulnerable functions in the SYS.KUPV$FT and SYS.KUPV$FT INT packages to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected functions until the issue is resolved.