[原文]SQL injection vulnerability in the SYS.DBMS_CDC_IPUBLISH.CREATE_SCN_CHANGE_SET procedure in Oracle Database Server 10g allows remote attackers to execute arbitrary SQL commands via the CHANGE_SET_NAME parameter.
Oracle Database Server Change Data Capture DBMS_CDC_IPUBLISH CREATE_SCN_CHANGE_SET Procedure SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Oracle Database Server contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'CREATE_SCN_CHANGE_SET' procedure in the 'DBMS_CDC_ISUBSCRIBE' package not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.
Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.