Vigil@nce: PL/SQL Developer, privilege elevation
September 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
In some cases, PL/SQL Developer does not correctly process an
Oracle privilege, so an attacker can obtain this privilege.
– Severity: 2/4
– Creation date: 05/09/2011
IMPACTED PRODUCTS
– Allround Automations PL/SQL Developer
DESCRIPTION OF THE VULNERABILITY
An Oracle database can set administrative privileges to users:
– Grant Any Object Privilege
– Grant Any Role
– Administer Resource Manager
– etc.
In some cases, PL/SQL Developer does not correctly grant nor
revoke the Administer Resource Manager privilege. Technical
details are unknown.
An unsecured application can this have higher privileges than
intended, so an attacker can obtain this privilege.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/PL-SQL-Developer-privilege-elevation-10969