CVE-2010-0866

Oracle Database <11.2.0.1 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-0866. Includes Metasploit module auxiliary/sqli/oracle/jvm_os_code_10g.

AI-analyzed exploit summary This Metasploit module exploits a flaw in Oracle DBMS_JVM_EXP_PERMS to grant Java IO privileges, enabling OS command execution via DBMS_JAVA_TEST.FUNCALL. Targets Oracle 10g R2, 11g R1/R2 on Windows.

Description

Unspecified vulnerability in the JavaVM component in Oracle Database 11.1.0.7 and 11.2.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

Exploits (2)

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb

View Code ZIP pw:eip

This Metasploit module exploits a flaw in Oracle DBMS_JVM_EXP_PERMS to grant Java IO privileges, enabling OS command execution via DBMS_JAVA_TEST.FUNCALL. Targets Oracle 10g R2, 11g R1/R2 on Windows.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database 10g R2, 11g R1/R2 (Windows)

Auth required

Prerequisites: Valid Oracle DB credentials with CREATE SESSION privilege

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb

View Code ZIP pw:eip

This Metasploit module exploits a flaw in Oracle DB 11g's DBMS_JVM_EXP_PERMS package to grant Java IO privileges and execute arbitrary OS commands. It leverages SQL injection to manipulate Java permissions and execute system commands via `dbms_java.runjava`.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database 11g R1/R2 (Windows only)

Auth required

Prerequisites: Valid Oracle DB credentials with CREATE SESSION privilege · Network access to the Oracle DB server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA10-103B.html

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html

Scores

EPSS 0.1155

EPSS Percentile 95.5%

Details

Status published

Products (2)

oracle/database_server 11.1.0.7

oracle/database_server 11.2.0.1

Published Apr 13, 2010

Tracked Since Feb 18, 2026