CVE-2010-2415

Oracle Database Server - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-2415. PoCs published by MC, including Metasploit module auxiliary/sqli/oracle/dbms_cdc_publish3.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability in Oracle's DBMS_CDC_PUBLISH.CREATE_CHANGE_SET procedure, allowing arbitrary SQL execution. It leverages base64-encoded payloads to bypass restrictions and execute malicious SQL commands.

Description

Unspecified vulnerability in the Change Data Capture component in Oracle Database Server 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality and integrity, related to DBMS_CDC_PUBLISH.

Exploits (1)

metasploit WORKING POC
by MC · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb

This Metasploit module exploits a SQL injection vulnerability in Oracle's DBMS_CDC_PUBLISH.CREATE_CHANGE_SET procedure, allowing arbitrary SQL execution. It leverages base64-encoded payloads to bypass restrictions and execute malicious SQL commands.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Oracle Database (versions affected by CVE-2010-2415)
Auth required
Prerequisites: Execute privilege on SYS.DBMS_CDC_PUBLISH package · Valid database credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-287A.html

Scores

EPSS 0.0883
EPSS Percentile 94.5%

Details

Status published
Products (4)
oracle/database_server 10.1.0.5
oracle/database_server 10.2.0.4
oracle/database_server 11.1.0.7
oracle/database_server 11.2.0.1
Published Oct 14, 2010
Tracked Since Feb 18, 2026