CVE-2021-2173

MEDIUM

Oracle Database Server <19c - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-2173. PoCs published by emad-almousa.

AI-analyzed exploit summary The repository provides a reference to a detailed technical analysis of CVE-2021-2173, which involves metadata exposure in Oracle Database leading to information leakage. It includes links to a blog post and Oracle's advisory for further details.

Description

Vulnerability in the Recovery component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA Level Account privilege with network access via Oracle Net to compromise Recovery. While the vulnerability is in Recovery, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Recovery accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).

Exploits (1)

nomisec WRITEUP

by emad-almousa · poc

https://github.com/emad-almousa/CVE-2021-2173

View Code ZIP pw:eip

The repository provides a reference to a detailed technical analysis of CVE-2021-2173, which involves metadata exposure in Oracle Database leading to information leakage. It includes links to a blog post and Oracle's advisory for further details.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database (versions affected per April 2021 CPU)

No auth needed

Prerequisites: Access to Oracle Database metadata

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://github.com/emad-almousa/CVE-2021-2173

Patch, Vendor Advisory

https://www.oracle.com/security-alerts/cpuapr2021.html

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171344/Oracle-DB-Broken-PDB-Isolation-Metadata-Exposure.html

Scores

CVSS v3 4.1

EPSS 0.0137

EPSS Percentile 68.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Products (4)

oracle/database_server 12.1.0.2

oracle/database_server 12.2.0.1

oracle/database_server 18c

oracle/database_server 19c

Published Apr 22, 2021

Tracked Since Feb 18, 2026