CVE-2020-14736

Name of the Vulnerable Software and Affected Versions: Oracle Database Server versions 11.2.0.4, 12.1.0.2, 12.2.0.1

Description: The issue is related to insufficient input validation in the Database Vault component of Oracle Database Server. It allows a high-privileged attacker with Create Public Synonym privilege and network access via Oracle Net to compromise Database Vault. Successful attacks can result in unauthorized update, insert, or delete access to some Database Vault accessible data, as well as unauthorized read access to a subset of Database Vault accessible data.

Recommendations: For versions 11.2.0.4, 12.1.0.2, and 12.2.0.1, consider restricting access to the Database Vault component until a patch is available. As a temporary workaround, limit the use of Create Public Synonym privilege to minimize the risk of exploitation. Restrict network access via Oracle Net to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.