CVE-2021-35576 — Vulnetix

CVE-2021-35576 PUBLISHED CVSS 4 MEDIUM

Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

EPSS 0.75% · 73.6th percentile

Risk Scores

CVSS 2.0

EPSS Score

0.75%

73.6th percentile

Affected Products

Vendor	Product	Versions
Oracle Corporation	Database - Enterprise Edition	12.1.0.2, 12.2.0.1, 19c
oracle	database_server	12.2.0.1, 19c, 12.1.0.2

Exploit Intelligence

CVE-2021-35576 (github-poc)
CVE-2021-35576 (github-poc)
CVE-2021-35576 (github-poc)
CVE-2021-35576 (github-poc)
http://packetstormsecurity.com/files/170354/Oracle-Unified-Audit-Policy-Bypass.html (nist-nvd)
http://packetstormsecurity.com/files/170373/Oracle-Database-Vault-Metadata-Exposure.html (nist-nvd)
https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/ (nist-nvd)
https://www.oracle.com/security-alerts/cpuoct2021.html (circl)
Oracle Database Vault Metadata Exposure Vulnerability (0day-today)
Oracle Database Vault Metadata Exposure Vulnerability (0day-today)

…and 2 more exploits

Timeline

Oct 20, 2021 CVE Published
Oct 21, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Apr 8, 2022 EPSS Score
Jul 30, 2022 EPSS Score
Nov 20, 2022 EPSS Score
Jan 3, 2023 PoC Published
Jan 5, 2023 PoC Published
Jan 15, 2023 EPSS Score
Mar 12, 2023 EPSS Score

References

Open in Interactive Console →