CVE-2004-1338

Name of the Vulnerable Software and Affected Versions: Oracle versions 9i and 10g

Description: The issue allows local users to gain privileges by exploiting a sequence of partially privileged actions. This is achieved by using CCBKAPPLROWTRIG or EXEC CBK FN DML to add arbitrary functions to the SDO CMT DBK FN TABLE and SDO CMT CBK DML TABLE, then performing a DELETE on the SDO TXN IDX INSERTS table. This action causes the SDO CMT CBK TRIG trigger to execute the user-supplied functions.

Recommendations: For Oracle versions 9i and 10g, consider restricting access to the CCBKAPPLROWTRIG and EXEC CBK FN DML functions to prevent the addition of arbitrary functions to the SDO CMT DBK FN TABLE and SDO CMT CBK DML TABLE. Additionally, limit the ability to perform DELETE operations on the SDO TXN IDX INSERTS table to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.