CVE Vulnerabilities

CVE-2004-1367

Exposure of Sensitive Information to an Unauthorized Actor

Published: Aug 04, 2004 | Modified: Oct 18, 2016
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.4 MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Oracle 10g Database Server, when installed with a password that contains an exclamation point (!) for the (1) DBSNMP or (2) SYSMAN user, generates an error that logs the password in the world-readable postDBCreation.log file, which could allow local users to obtain that password and use it against SYS or SYSTEM accounts, which may have been installed with the same password.

Weakness

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Software

Name Vendor Start Version End Version
Application_server Oracle * *
Application_server Oracle 9.0.2 9.0.2
Application_server Oracle 9.0.2.0.0 9.0.2.0.0
Application_server Oracle 9.0.2.0.1 9.0.2.0.1
Application_server Oracle 9.0.2.1 9.0.2.1
Application_server Oracle 9.0.2.2 9.0.2.2
Application_server Oracle 9.0.2.3 9.0.2.3
Application_server Oracle 9.0.3 9.0.3
Application_server Oracle 9.0.3.1 9.0.3.1
Application_server Oracle 9.0.4 9.0.4
Application_server Oracle 9.0.4.0 9.0.4.0
Application_server Oracle 9.0.4.1 9.0.4.1
Collaboration_suite Oracle release_1 release_1
E-business_suite Oracle 11.5.1 11.5.1
E-business_suite Oracle 11.5.2 11.5.2
E-business_suite Oracle 11.5.3 11.5.3
E-business_suite Oracle 11.5.4 11.5.4
E-business_suite Oracle 11.5.5 11.5.5
E-business_suite Oracle 11.5.6 11.5.6
E-business_suite Oracle 11.5.7 11.5.7
E-business_suite Oracle 11.5.8 11.5.8
E-business_suite Oracle 11.5.9 11.5.9
Enterprise_manager Oracle 9 9
Enterprise_manager Oracle 9.0.1 9.0.1
Enterprise_manager_database_control Oracle 10.1.2 10.1.2
Enterprise_manager_grid_control Oracle 10.1.0.2 10.1.0.2
Oracle10g Oracle enterprise_9.0.4_.0 enterprise_9.0.4_.0
Oracle10g Oracle enterprise_10.1.0.2 enterprise_10.1.0.2
Oracle10g Oracle personal_9.0.4_.0 personal_9.0.4_.0
Oracle10g Oracle personal_10.1_.0.2 personal_10.1_.0.2
Oracle10g Oracle standard_9.0.4_.0 standard_9.0.4_.0
Oracle10g Oracle standard_10.1_.0.2 standard_10.1_.0.2
Oracle8i Oracle enterprise_8.0.5_.0.0 enterprise_8.0.5_.0.0
Oracle8i Oracle enterprise_8.0.6_.0.0 enterprise_8.0.6_.0.0
Oracle8i Oracle enterprise_8.0.6_.0.1 enterprise_8.0.6_.0.1
Oracle8i Oracle enterprise_8.1.5_.0.0 enterprise_8.1.5_.0.0
Oracle8i Oracle enterprise_8.1.5_.0.2 enterprise_8.1.5_.0.2
Oracle8i Oracle enterprise_8.1.5_.1.0 enterprise_8.1.5_.1.0
Oracle8i Oracle enterprise_8.1.6_.0.0 enterprise_8.1.6_.0.0
Oracle8i Oracle enterprise_8.1.6_.1.0 enterprise_8.1.6_.1.0
Oracle8i Oracle enterprise_8.1.7_.0.0 enterprise_8.1.7_.0.0
Oracle8i Oracle enterprise_8.1.7_.1.0 enterprise_8.1.7_.1.0
Oracle8i Oracle enterprise_8.1.7_.4 enterprise_8.1.7_.4
Oracle8i Oracle standard_8.0.6 standard_8.0.6
Oracle8i Oracle standard_8.0.6_.3 standard_8.0.6_.3
Oracle8i Oracle standard_8.1.5 standard_8.1.5
Oracle8i Oracle standard_8.1.6 standard_8.1.6
Oracle8i Oracle standard_8.1.7 standard_8.1.7
Oracle8i Oracle standard_8.1.7_.0.0 standard_8.1.7_.0.0
Oracle8i Oracle standard_8.1.7_.1 standard_8.1.7_.1
Oracle8i Oracle standard_8.1.7_.4 standard_8.1.7_.4
Oracle9i Oracle client_9.2.0.1 client_9.2.0.1
Oracle9i Oracle client_9.2.0.2 client_9.2.0.2
Oracle9i Oracle enterprise_8.1.7 enterprise_8.1.7
Oracle9i Oracle enterprise_9.0.1 enterprise_9.0.1
Oracle9i Oracle enterprise_9.0.1.4 enterprise_9.0.1.4
Oracle9i Oracle enterprise_9.0.1.5 enterprise_9.0.1.5
Oracle9i Oracle enterprise_9.2.0 enterprise_9.2.0
Oracle9i Oracle enterprise_9.2.0.1 enterprise_9.2.0.1
Oracle9i Oracle enterprise_9.2.0.2 enterprise_9.2.0.2
Oracle9i Oracle enterprise_9.2.0.3 enterprise_9.2.0.3
Oracle9i Oracle enterprise_9.2.0.4 enterprise_9.2.0.4
Oracle9i Oracle enterprise_9.2.0.5 enterprise_9.2.0.5
Oracle9i Oracle personal_8.1.7 personal_8.1.7
Oracle9i Oracle personal_9.0.1 personal_9.0.1
Oracle9i Oracle personal_9.0.1.4 personal_9.0.1.4
Oracle9i Oracle personal_9.0.1.5 personal_9.0.1.5
Oracle9i Oracle personal_9.2 personal_9.2
Oracle9i Oracle personal_9.2.0.1 personal_9.2.0.1
Oracle9i Oracle personal_9.2.0.2 personal_9.2.0.2
Oracle9i Oracle personal_9.2.0.3 personal_9.2.0.3
Oracle9i Oracle personal_9.2.0.4 personal_9.2.0.4
Oracle9i Oracle personal_9.2.0.5 personal_9.2.0.5
Oracle9i Oracle standard_8.1.7 standard_8.1.7
Oracle9i Oracle standard_9.0 standard_9.0
Oracle9i Oracle standard_9.0.1 standard_9.0.1
Oracle9i Oracle standard_9.0.1.2 standard_9.0.1.2
Oracle9i Oracle standard_9.0.1.3 standard_9.0.1.3
Oracle9i Oracle standard_9.0.1.4 standard_9.0.1.4
Oracle9i Oracle standard_9.0.1.5 standard_9.0.1.5
Oracle9i Oracle standard_9.0.2 standard_9.0.2
Oracle9i Oracle standard_9.2 standard_9.2
Oracle9i Oracle standard_9.2.0.1 standard_9.2.0.1
Oracle9i Oracle standard_9.2.0.2 standard_9.2.0.2
Oracle9i Oracle standard_9.2.0.3 standard_9.2.0.3
Oracle9i Oracle standard_9.2.0.4 standard_9.2.0.4
Oracle9i Oracle standard_9.2.0.5 standard_9.2.0.5

Extended Description

There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include:

Information might be sensitive to different parties, each of which may have their own expectations for whether the information should be protected. These parties include:

Information exposures can occur in different ways:

It is common practice to describe any loss of confidentiality as an “information exposure,” but this can lead to overuse of CWE-200 in CWE mapping. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.

Potential Mitigations

  • Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

References