Improper Access Control
CVE-2023-21893
Summary
Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. This vulnerability affects Oracle.ManagedDataAccess versions 19.x prior to 19.18.0, and 21.x prior to 21.9.0 and Oracle.ManagedDataAccess.Core versions 2.19.x prior to 2.19.180, and 3.21.x prior to 3.21.90. The difficult-to-exploit vulnerability allows unauthenticated attackers with network access via TCPS to compromise Oracle Data Provider for .NET. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in the takeover of Oracle Data Provider for .NET. Note: This applies also to Database client-only on the Windows platform.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- REQUIRED
- NONE
- HIGH
- HIGH
CWE-284 - Improper Access Control
Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.
Advisory Timeline
- Published
