CVE-2023-21893

Name of the Vulnerable Software and Affected Versions Oracle Data Provider for .NET versions 19c through 21c

Description The issue is related to insufficient input validation in the Oracle Data Provider for .NET component of Oracle Database Server, allowing an unauthenticated attacker with network access via TCPS to compromise the Oracle Data Provider for .NET. Successful attacks require human interaction from a person other than the attacker and can result in the takeover of Oracle Data Provider for .NET. This issue applies to Database client-only on Windows platforms as well.

Recommendations For Oracle Data Provider for .NET versions 19c through 21c, update to a version that includes the fix, as referenced in the readme.txt files inside the .nupkg packages. As a temporary workaround, consider restricting access to the TCPS protocol to minimize the risk of exploitation.