Vulnerability Details : CVE-2010-3600
Public exploit exists!
Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code.
Threat overview for CVE-2010-3600
Top countries where our scanners detected CVE-2010-3600
Top open port discovered on systems with this issue
1521
IPs affected by CVE-2010-3600 34,610
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2010-3600!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2010-3600
Probability of exploitation activity in the next 30 days: 97.28%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2010-3600
-
Oracle Database Client System Analyzer Arbitrary File Upload
Disclosure Date: 2011-01-18First seen: 2020-04-26exploit/windows/oracle/client_system_analyzer_uploadThis module exploits an arbitrary file upload vulnerability on the Client Analyzer component as included in Oracle Database 11g, which allows remote attackers to upload and execute arbitrary code. This module has been tested successfully on Oracle Database 11
CVSS scores for CVE-2010-3600
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2010-3600
-
http://www.vupen.com/english/advisories/2011/0139
Webmail | OVH- OVHVendor Advisory
-
http://www.securitytracker.com/id?1024972
Oracle Database Bugs Let Remote Users Partially Obtain and Modify Data and Cause Partial Denial of Service Conditions - SecurityTracker
-
http://www.zerodayinitiative.com/advisories/ZDI-11-018/
ZDI-11-018 | Zero Day Initiative
-
http://www.vupen.com/english/advisories/2011/0140
Webmail | OVH- OVHVendor Advisory
-
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
Oracle Critical Patch Update - January 2011Vendor Advisory
-
http://www.securityfocus.com/bid/45883
Oracle Database and Enterprise Manager Grid Control Remote Code Execution Vulnerability
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/64755
Vulnerability Report
Products affected by CVE-2010-3600
- cpe:2.3:a:oracle:database_server:11.1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:11.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_grid_control:10.2.0.5:*:*:*:*:*:*:*