CVE-2023-22071

Name of the Vulnerable Software and Affected Versions Oracle Database Server versions 19.3 through 19.20 Oracle Database Server versions 21.3 through 21.11

Description The vulnerability in the PL/SQL component of Oracle Database Server is related to insufficient input validation. Exploitation of this issue may allow a remote attacker to gain unauthorized access to protected data or modify, add, or delete protected data. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. Attacks can result in unauthorized update, insert, or delete access to some PL/SQL accessible data, as well as unauthorized read access to a subset of PL/SQL accessible data and the ability to cause a partial denial of service of PL/SQL.

Recommendations For Oracle Database Server versions 19.3 through 19.20, update to a version outside of this range to resolve the issue. For Oracle Database Server versions 21.3 through 21.11, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the PL/SQL component until a patch is available. Restrict network access via Oracle Net to minimize the risk of exploitation. Avoid granting Create Session and Execute on sys.utl http privileges to untrusted users.