Cybersecurity specialists reported the finding of eight vulnerabilities affecting Oracle Database Server. According to the report, successful exploitation of these flaws would allow malicious hackers to access sensitive information and run arbitrary code on the affected systems.
Below are brief descriptions of the reported vulnerabilities in addition to their respective CVE tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-2035: The improper input validation within the RDBMS Scheduler in Oracle Database Server allows authenticated threat actors to exploit some security flaws and run arbitrary code on the target system.
This is a high severity flaw and received a 7/10 CVSS score.
CVE-2021-2018: An improper input validation in Advanced Networking Option in Oracle Database Server allows remote malicious hackers to run arbitrary code on the affected systems.
The report received a 7.2/10 CVSS score.
CVE-2021-2054: This flaw exists due to incorrect input validation within RDBMS Sharding on Oracle Database Server. This condition could be used by threat actors to execute arbitrary code on affected systems.
This is a medium severity flaw that received a 6.4/10 CVSS score.
CVE-2021-1993: The improper input validation within the Java VM would allow remote authenticated users exploit this vulnerability aiming to manipulate confidential data.
Cybersecurity experts assigned this flaw a 4.5/10 CVSS score.
CVE-2021-2045: The improper input validation within the Oracle Text in Oracle Database Server would allow authenticated users exploiting this flow to generate denial of service (DoS) conditions. This is a low-severity flaw that received a 2.7/10 CVSS score.
CVE-2021-2000: An improper input validation within the Unified Audit in Oracle Database Server allows remote privileged users to abuse this flaw aiming to manipulate confidential data.
This is a low-severity vulnerability and it got a 2.1/10 CVSS score.
CVE-2021-2116: The deficient sanitization of the data sent by the users of Oracle Application Express Opportunity Tracker could have allowed threat actors to run arbitrary HTML code in the affected systems with just a specially designed link.
The flaw received a 2.7/10 CVSS score and its successful exploitation allows remote attackers to steal potentially sensitive information, among other malicious activities.
CVE-2021-2117: Deficient sanitization of user-supplied data in Oracle Application Express Survey Builder allows malicious hackers to send specially designed links to run arbitrary HTML codes in the target user’s browser.
This is a low severity vulnerability with a 4.7/10 CVSS score. Its successful exploitation would allow a remote attacker to steal potentially sensitive information, perform phishing attacks, among other security threats.
Cybersecurity experts did not report active exploitation attempts, but invite users of affected implementations to update as soon as possible.