CVE-2010-3600 : Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and En

Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code.

Published 2011-01-19 16:00:03

Updated 2017-08-17 01:33:00

Source Oracle

View at NVD, CVE.org

Threat overview for CVE-2010-3600

Top countries where our scanners detected CVE-2010-3600

Top open port discovered on systems with this issue 1521

IPs affected by CVE-2010-3600 34,610

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2010-3600!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2010-3600

Probability of exploitation activity in the next 30 days: 97.28%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2010-3600

Oracle Database Client System Analyzer Arbitrary File Upload

Disclosure Date: 2011-01-18

First seen: 2020-04-26

exploit/windows/oracle/client_system_analyzer_upload

This module exploits an arbitrary file upload vulnerability on the Client Analyzer component as included in Oracle Database 11g, which allows remote attackers to upload and execute arbitrary code. This module has been tested successfully on Oracle Database 11

More information

CVSS scores for CVE-2010-3600

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

References for CVE-2010-3600

http://www.vupen.com/english/advisories/2011/0139

Webmail | OVH- OVH
Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id?1024972

Oracle Database Bugs Let Remote Users Partially Obtain and Modify Data and Cause Partial Denial of Service Conditions - SecurityTracker

CVEs referencing this url
http://www.zerodayinitiative.com/advisories/ZDI-11-018/

ZDI-11-018 | Zero Day Initiative
http://www.vupen.com/english/advisories/2011/0140

Webmail | OVH- OVH
Vendor Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

Oracle Critical Patch Update - January 2011
Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/45883

Oracle Database and Enterprise Manager Grid Control Remote Code Execution Vulnerability
https://exchange.xforce.ibmcloud.com/vulnerabilities/64755

Vulnerability Report

Products affected by CVE-2010-3600

Oracle » Database Server » Version: 11.1.0.7
cpe:2.3:a:oracle:database_server:11.1.0.7:*:*:*:*:*:*:*
Matching versions
Oracle » Database Server » Version: 11.2.0.1
cpe:2.3:a:oracle:database_server:11.2.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Grid Control » Version: 10.2.0.5
cpe:2.3:a:oracle:enterprise_manager_grid_control:10.2.0.5:*:*:*:*:*:*:*
Matching versions