CVE-2014-6577

Oracle Database Server <12.1 - Confidentiality

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-6577. PoCs published by SecurityArtWork.

AI-analyzed exploit summary This repository contains a Python script that automates the exploitation of CVE-2014-6577, an XXE (XML External Entity) vulnerability in Oracle products that can lead to SQL injection. The script sets up a local HTTP server to capture exfiltrated data and injects malicious XML payloads into a target URL.

Description

Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.

Exploits (1)

nomisec WORKING POC
by SecurityArtWork · poc
https://github.com/SecurityArtWork/oracle-xxe-sqli

This repository contains a Python script that automates the exploitation of CVE-2014-6577, an XXE (XML External Entity) vulnerability in Oracle products that can lead to SQL injection. The script sets up a local HTTP server to capture exfiltrated data and injects malicious XML payloads into a target URL.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Oracle products (specific versions not specified)
No auth needed
Prerequisites: Network access to the target Oracle application · A vulnerable Oracle product with XXE/SQLi exposure
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72139
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031572

Scores

EPSS 0.0353
EPSS Percentile 87.8%

Details

Status published
Products (4)
oracle/database_server 11.2.0.3
oracle/database_server 11.2.0.4
oracle/database_server 12.1.0.1
oracle/database_server 12.1.0.2
Published Jan 21, 2015
Tracked Since Feb 18, 2026