CVE-2004-1363

CRITICAL

Oracle Application Server - Buffer Overflow

Title source: rule

Description

Buffer overflow in extproc in Oracle 10g allows remote attackers to execute arbitrary code via environment variables in the library name, which are expanded after the length check is performed.

References (8)

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/18659

[Broken Link, Patch, Vendor Advisory] http://www.ngssoftware.com/advisories/oracle23122004.txt

[Mailing List] http://marc.info/?l=bugtraq&m=110382345829397&w=2

[Third Party Advisory, US Government Resource] http://www.kb.cert.org/vuls/id/316206

[Broken Link, Patch, Third Party Advisory, US Government Resource] http://www.us-cert.gov/cas/techalerts/TA04-245A.html

[Broken Link, Patch, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/10871

[Broken Link, Patch, Vendor Advisory] http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf

[Broken Link] http://sunsolve.sun.com/search/document.do?assetkey=1-26-101782-1

Scores

CVSS v3 9.8

EPSS 0.2766

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-131

Status published

Products (33)

oracle/application_server

oracle/application_server 9.0.2

oracle/application_server 9.0.2.0.0

oracle/application_server 9.0.2.0.1

oracle/application_server 9.0.2.1

oracle/application_server 9.0.2.2

oracle/application_server 9.0.2.3

oracle/application_server 9.0.3

oracle/application_server 9.0.3.1

oracle/application_server 9.0.4

... and 23 more

Published Aug 04, 2004

Tracked Since Feb 18, 2026