Oracle Database Server
Moderate fix1 remedy
cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 19.3, <= 19.26
- >= 21.3, <= 21.17
- >= 23.4, <= 23.7
Oracle Database Server RDBMS Listener Vulnerability Allowing Unauthorized Data Access
Vulnerability
A vulnerability exists in the RDBMS Listener component of Oracle Database Server, specifically in versions 19.3-19.26, 21.3-21.17, and 23.4-23.7. This vulnerability allows an unauthenticated attacker with network access via Oracle Net to compromise the RDBMS Listener. Exploitation of this vulnerability requires human interaction from a third party. Successful attacks can lead to unauthorized access to sensitive data or complete access to all data accessible through the RDBMS Listener.
Impact
Exploitation of this vulnerability causes a memory leak in the Oracle Transparent Network Substrate (TNS) protocol, which can be exploited to disclose sensitive information from the system memory, including environment variables, to an unauthenticated remote user over the internet.
Reproduction
The vulnerability can be reproduced by sending a request to an Oracle Database server's TCPS listener that includes the command to retrieve the database version. If the server is configured to allow remote unauthenticated requests, the response will include version information and potentially sensitive data from the system memory.
Remediation
Users can apply the patch provided in the April 2025 Oracle Critical Patch Update to address this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
7.3impact
5.0exploitability
7.4remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.