Vulnerabilities > CVE-2011-3525 - Unspecified vulnerability in Oracle Database Server 3.2/4.0

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
oracle
nessus

Summary

Unspecified vulnerability in the Application Express component in Oracle Database Server 3.2 and 4.0 allows remote authenticated users to affect confidentiality, integrity, and availability, related to APEX developer user.

Vulnerable Configurations

Part Description Count
Application
Oracle
2

Nessus

  • NASL familyWeb Servers
    NASL idORACLE_APEX_CVE-2011-3525.NASL
    descriptionAn unspecified vulnerability in versions 3.2 and 4.0 of the Application Express (Apex) component of the Oracle Database Server allows remote, authenticated users to affect confidentiality, integrity, and availability, relating to the Apex developer user.
    last seen2020-06-01
    modified2020-06-02
    plugin id64712
    published2013-02-20
    reporterThis script is Copyright (C) 2013-2019 Recx Ltd.
    sourcehttps://www.tenable.com/plugins/nessus/64712
    titleOracle Application Express (Apex) CVE-2011-3525
    code
    # ---------------------------------------------------------------------------------
    # (c) Recx Ltd 2009-2012
    # http://www.recx.co.uk/
    #
    # Detection script for CVE-2011-3525
    # Ref: https://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html
    # Oracle Application Express v3.2 < x < v4.1
    #
    #   Unspecified vulnerability in the Application Express component in Oracle
    #   Database Server 3.2 and 4.0 that allows remote authenticated users to affect
    #   confidentiality, integrity, and availability, related to Apex developer user.
    #
    # Version 1.0
    # ---------------------------------------------------------------------------------
    
    include("compat.inc");
    
    if (description)
    {
      script_id(64712);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2011-3525");
      script_bugtraq_id(50197);
    
      script_name(english:"Oracle Application Express (Apex) CVE-2011-3525");
      script_summary(english:"Checks whether vulnerable to CVE-2011-3525");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is running a vulnerable version of Oracle Apex.");
      script_set_attribute(attribute:"description", value:
    "An unspecified vulnerability in versions 3.2 and 4.0 of the
    Application Express (Apex) component of the Oracle Database Server
    allows remote, authenticated users to affect confidentiality,
    integrity, and availability, relating to the Apex developer user.");
      script_set_attribute(attribute:"see_also", value:"http://www.oracle.com/technetwork/developer-tools/apex/index.html");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html");
      script_set_attribute(attribute:"see_also", value:"https://www.recx.co.uk/downloads/Recx-Apex-CVE-2011-3525.pdf");
      script_set_attribute(attribute:"solution", value:
    "Upgrade Application Express to at least version 4.1.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/10/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/20");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_express");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2013-2020 Recx Ltd.");
    
      script_dependencies("oracle_apex_detect_version.nasl");
      script_require_keys("Oracle/Apex");
      script_require_ports("Services/www", 8080, 80, 443);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("http_func.inc");
    include("http_keepalive.inc");
    
    function raise_finding(port, report)
    {
      if(report_verbosity > 0)
        security_warning(port:port, extra:report);
      else security_warning(port);
    }
    
    port = get_http_port(default:8080, embedded:TRUE);
    
    if (!get_port_state(port)) exit(0, "Port " + port + " is not open.");
    
    version = get_kb_item("Oracle/Apex/"+port+"/Version");
    if(!version) exit(0, "The 'Oracle/Apex/" + port + "/Version' KB item is not set.");
    
    location = get_kb_item("Oracle/Apex/" + port + "/Location");
    if(!location) exit(0, "The 'Oracle/Apex/" + port + "/Location' KB item is not set.");
    url = build_url(qs:location, port:port);
    
    if (version == "3.2" || version == "3.2.1" || version == "4.0" || version == "4.0.1" || version == "4.0.2")
    {
      report = '\n  URL               : ' + url +
               '\n  Installed version : ' + version +
               '\n  Fixed version     : 4.1' + '\n';
      raise_finding(port:port, report:report);
      exit(0);
    }
    
    exit(0, "The Oracle Apex install at " + url + " is version " + version + " and is not affected.");
    
  • NASL familyDatabases
    NASL idORACLE_RDBMS_CPU_OCT_2011.NASL
    descriptionThe remote Oracle database server is missing the October 2011 Critical Patch Update (CPU) and therefore is potentially affected by security issues in the following components : - Oracle Text - Application Express - Core RDBMS - Database Vault
    last seen2020-06-02
    modified2011-10-26
    plugin id56653
    published2011-10-26
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/56653
    titleOracle Database Multiple Vulnerabilities (October 2011 CPU)