CVE-2004-1362
First published: Wed Aug 04 2004(Updated: )
The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Application Server | ||
| Oracle Application Server | =9.0.2 | |
| Oracle Application Server | =9.0.2.0.0 | |
| Oracle Application Server | =9.0.2.0.1 | |
| Oracle Application Server | =9.0.2.1 | |
| Oracle Application Server | =9.0.2.2 | |
| Oracle Application Server | =9.0.2.3 | |
| Oracle Application Server | =9.0.3 | |
| Oracle Application Server | =9.0.3.1 | |
| Oracle Application Server | =9.0.4 | |
| Oracle Application Server | =9.0.4.0 | |
| Oracle Application Server | =9.0.4.1 | |
| Oracle Collaboration Suite 10g release 1 | =release_1 | |
| Oracle E-Business Suite | =11.5.1 | |
| Oracle E-Business Suite | =11.5.2 | |
| Oracle E-Business Suite | =11.5.3 | |
| Oracle E-Business Suite | =11.5.4 | |
| Oracle E-Business Suite | =11.5.5 | |
| Oracle E-Business Suite | =11.5.6 | |
| Oracle E-Business Suite | =11.5.7 | |
| Oracle E-Business Suite | =11.5.8 | |
| Oracle E-Business Suite | =11.5.9 | |
| Oracle Enterprise Manager for Oracle Database | =9 | |
| Oracle Enterprise Manager for Oracle Database | =9.0.1 | |
| Oracle Enterprise Manager for Oracle Database | =10.1.2 | |
| Oracle Enterprise Manager Grid Control 10g | =10.1.0.2 | |
| Oracle Database 10g | =enterprise_9.0.4_.0 | |
| Oracle Database 10g | =enterprise_10.1.0.2 | |
| Oracle Database 10g | =personal_9.0.4_.0 | |
| Oracle Database 10g | =personal_10.1_.0.2 | |
| Oracle Database 10g | =standard_9.0.4_.0 | |
| Oracle Database 10g | =standard_10.1_.0.2 | |
| Oracle 8i | =enterprise_8.0.5_.0.0 | |
| Oracle 8i | =enterprise_8.0.6_.0.0 | |
| Oracle 8i | =enterprise_8.0.6_.0.1 | |
| Oracle 8i | =enterprise_8.1.5_.0.0 | |
| Oracle 8i | =enterprise_8.1.5_.0.2 | |
| Oracle 8i | =enterprise_8.1.5_.1.0 | |
| Oracle 8i | =enterprise_8.1.6_.0.0 | |
| Oracle 8i | =enterprise_8.1.6_.1.0 | |
| Oracle 8i | =enterprise_8.1.7_.0.0 | |
| Oracle 8i | =enterprise_8.1.7_.1.0 | |
| Oracle 8i | =enterprise_8.1.7_.4 | |
| Oracle 8i | =standard_8.0.6 | |
| Oracle 8i | =standard_8.0.6_.3 | |
| Oracle 8i | =standard_8.1.5 | |
| Oracle 8i | =standard_8.1.6 | |
| Oracle 8i | =standard_8.1.7 | |
| Oracle 8i | =standard_8.1.7_.0.0 | |
| Oracle 8i | =standard_8.1.7_.1 | |
| Oracle 8i | =standard_8.1.7_.4 | |
| Oracle Oracle9i | =client_9.2.0.1 | |
| Oracle Oracle9i | =client_9.2.0.2 | |
| Oracle Oracle9i | =enterprise_8.1.7 | |
| Oracle Oracle9i | =enterprise_9.0.1 | |
| Oracle Oracle9i | =enterprise_9.0.1.4 | |
| Oracle Oracle9i | =enterprise_9.0.1.5 | |
| Oracle Oracle9i | =enterprise_9.2.0 | |
| Oracle Oracle9i | =enterprise_9.2.0.1 | |
| Oracle Oracle9i | =enterprise_9.2.0.2 | |
| Oracle Oracle9i | =enterprise_9.2.0.3 | |
| Oracle Oracle9i | =enterprise_9.2.0.4 | |
| Oracle Oracle9i | =enterprise_9.2.0.5 | |
| Oracle Oracle9i | =personal_8.1.7 | |
| Oracle Oracle9i | =personal_9.0.1 | |
| Oracle Oracle9i | =personal_9.0.1.4 | |
| Oracle Oracle9i | =personal_9.0.1.5 | |
| Oracle Oracle9i | =personal_9.2 | |
| Oracle Oracle9i | =personal_9.2.0.1 | |
| Oracle Oracle9i | =personal_9.2.0.2 | |
| Oracle Oracle9i | =personal_9.2.0.3 | |
| Oracle Oracle9i | =personal_9.2.0.4 | |
| Oracle Oracle9i | =personal_9.2.0.5 | |
| Oracle Oracle9i | =standard_8.1.7 | |
| Oracle Oracle9i | =standard_9.0 | |
| Oracle Oracle9i | =standard_9.0.1 | |
| Oracle Oracle9i | =standard_9.0.1.2 | |
| Oracle Oracle9i | =standard_9.0.1.3 | |
| Oracle Oracle9i | =standard_9.0.1.4 | |
| Oracle Oracle9i | =standard_9.0.1.5 | |
| Oracle Oracle9i | =standard_9.0.2 | |
| Oracle Oracle9i | =standard_9.2 | |
| Oracle Oracle9i | =standard_9.2.0.1 | |
| Oracle Oracle9i | =standard_9.2.0.2 | |
| Oracle Oracle9i | =standard_9.2.0.3 | |
| Oracle Oracle9i | =standard_9.2.0.4 | |
| Oracle Oracle9i | =standard_9.2.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://marc.info/?l=bugtraq&m=110382306006205&w=2
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101782-1
- http://www.kb.cert.org/vuls/id/435974
- http://www.ngssoftware.com/advisories/oracle23122004G.txt
- http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
- http://www.securityfocus.com/bid/10871
- http://www.us-cert.gov/cas/techalerts/TA04-245A.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18657
Frequently Asked Questions
What is the severity of CVE-2004-1362?
CVE-2004-1362 is considered to have a moderate severity level due to the potential for unauthorized access.
How do I fix CVE-2004-1362?
To fix CVE-2004-1362, it is recommended to upgrade to a patched version of the Oracle Application Server provided by Oracle.
What software is affected by CVE-2004-1362?
CVE-2004-1362 affects various versions of Oracle Application Server, including 9.0.2 and 10g.
What type of vulnerability is CVE-2004-1362?
CVE-2004-1362 is a character conversion vulnerability that allows for access restriction bypass.
Can CVE-2004-1362 exploit any specific procedures?
Yes, CVE-2004-1362 can exploit specific PL/SQL procedures through encoded URLs containing the "%FF" sequence.
- agent/references
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/author
- agent/last-modified-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/oracle
- canonical/oracle application server
- version/oracle application server/9.0.2
- version/oracle application server/9.0.2.0.0
- version/oracle application server/9.0.2.0.1
- version/oracle application server/9.0.2.1
- version/oracle application server/9.0.2.2
- version/oracle application server/9.0.2.3
- version/oracle application server/9.0.3
- version/oracle application server/9.0.3.1
- version/oracle application server/9.0.4
- version/oracle application server/9.0.4.0
- version/oracle application server/9.0.4.1
- canonical/oracle collaboration suite 10g release 1
- version/oracle collaboration suite 10g release 1/release_1
- canonical/oracle e-business suite
- version/oracle e-business suite/11.5.1
- version/oracle e-business suite/11.5.2
- version/oracle e-business suite/11.5.3
- version/oracle e-business suite/11.5.4
- version/oracle e-business suite/11.5.5
- version/oracle e-business suite/11.5.6
- version/oracle e-business suite/11.5.7
- version/oracle e-business suite/11.5.8
- version/oracle e-business suite/11.5.9
- canonical/oracle enterprise manager for oracle database
- version/oracle enterprise manager for oracle database/9
- version/oracle enterprise manager for oracle database/9.0.1
- version/oracle enterprise manager for oracle database/10.1.2
- canonical/oracle enterprise manager grid control 10g
- version/oracle enterprise manager grid control 10g/10.1.0.2
- canonical/oracle database 10g
- version/oracle database 10g/enterprise_9.0.4_.0
- version/oracle database 10g/enterprise_10.1.0.2
- version/oracle database 10g/personal_9.0.4_.0
- version/oracle database 10g/personal_10.1_.0.2
- version/oracle database 10g/standard_9.0.4_.0
- version/oracle database 10g/standard_10.1_.0.2
- canonical/oracle 8i
- version/oracle 8i/enterprise_8.0.5_.0.0
- version/oracle 8i/enterprise_8.0.6_.0.0
- version/oracle 8i/enterprise_8.0.6_.0.1
- version/oracle 8i/enterprise_8.1.5_.0.0
- version/oracle 8i/enterprise_8.1.5_.0.2
- version/oracle 8i/enterprise_8.1.5_.1.0
- version/oracle 8i/enterprise_8.1.6_.0.0
- version/oracle 8i/enterprise_8.1.6_.1.0
- version/oracle 8i/enterprise_8.1.7_.0.0
- version/oracle 8i/enterprise_8.1.7_.1.0
- version/oracle 8i/enterprise_8.1.7_.4
- version/oracle 8i/standard_8.0.6
- version/oracle 8i/standard_8.0.6_.3
- version/oracle 8i/standard_8.1.5
- version/oracle 8i/standard_8.1.6
- version/oracle 8i/standard_8.1.7
- version/oracle 8i/standard_8.1.7_.0.0
- version/oracle 8i/standard_8.1.7_.1
- version/oracle 8i/standard_8.1.7_.4
- canonical/oracle oracle9i
- version/oracle oracle9i/client_9.2.0.1
- version/oracle oracle9i/client_9.2.0.2
- version/oracle oracle9i/enterprise_8.1.7
- version/oracle oracle9i/enterprise_9.0.1
- version/oracle oracle9i/enterprise_9.0.1.4
- version/oracle oracle9i/enterprise_9.0.1.5
- version/oracle oracle9i/enterprise_9.2.0
- version/oracle oracle9i/enterprise_9.2.0.1
- version/oracle oracle9i/enterprise_9.2.0.2
- version/oracle oracle9i/enterprise_9.2.0.3
- version/oracle oracle9i/enterprise_9.2.0.4
- version/oracle oracle9i/enterprise_9.2.0.5
- version/oracle oracle9i/personal_8.1.7
- version/oracle oracle9i/personal_9.0.1
- version/oracle oracle9i/personal_9.0.1.4
- version/oracle oracle9i/personal_9.0.1.5
- version/oracle oracle9i/personal_9.2
- version/oracle oracle9i/personal_9.2.0.1
- version/oracle oracle9i/personal_9.2.0.2
- version/oracle oracle9i/personal_9.2.0.3
- version/oracle oracle9i/personal_9.2.0.4
- version/oracle oracle9i/personal_9.2.0.5
- version/oracle oracle9i/standard_8.1.7
- version/oracle oracle9i/standard_9.0
- version/oracle oracle9i/standard_9.0.1
- version/oracle oracle9i/standard_9.0.1.2
- version/oracle oracle9i/standard_9.0.1.3
- version/oracle oracle9i/standard_9.0.1.4
- version/oracle oracle9i/standard_9.0.1.5
- version/oracle oracle9i/standard_9.0.2
- version/oracle oracle9i/standard_9.2
- version/oracle oracle9i/standard_9.2.0.1
- version/oracle oracle9i/standard_9.2.0.2
- version/oracle oracle9i/standard_9.2.0.3
- version/oracle oracle9i/standard_9.2.0.4
- version/oracle oracle9i/standard_9.2.0.5