CVE-2008-3996

Oracle Database <11.1.0.6 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3996. PoCs published by MC, including Metasploit module auxiliary/sqli/oracle/dbms_cdc_ipublish.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability in Oracle Database Server via the SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE procedure. It creates a malicious function to execute arbitrary SQL commands, potentially granting DBA privileges to the attacker.

Description

Unspecified vulnerability in the Change Data Capture component in Oracle Database 10.1.0.5, 10.2.0.4, and 11.1.0.6 allows remote authenticated users to affect confidentiality and integrity, related to SYS.DBMS_CDC_IPUBLISH.

Exploits (1)

metasploit WORKING POC

by MC · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability in Oracle Database Server via the SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE procedure. It creates a malicious function to execute arbitrary SQL commands, potentially granting DBA privileges to the attacker.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database Server 10gR1, 10gR2, 11gR1

Auth required

Prerequisites: Execute privilege on DBMS_CDC_IPUBLISH package · Valid database credentials

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/45900

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/32291

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/2825

Scores

EPSS 0.0952

EPSS Percentile 94.8%

Details

Status published

Products (3)

oracle/database_10g 10.1.0.5

oracle/database_10g 10.2.0.4

oracle/database_11i 11.1.0.6

Published Oct 14, 2008

Tracked Since Feb 18, 2026