CVE-2008-2138
Summary
| CVE | CVE-2008-2138 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2008-05-12 16:20:00 UTC |
| Updated | 2018-10-11 20:39:00 UTC |
| Description | Oracle Application Server (OracleAS) Portal 10g allows remote attackers to bypass intended access restrictions and read the contents of /dav_portal/portal/ by sending a request containing a trailing "%0A" (encoded line feed), then using the session ID that is generated from that request. NOTE: as of 20080512, Oracle has not commented on the accuracy of this report. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Oracle | Application Server Portal | 10g | All | All | All |
| Application | Oracle | Application Server Portal | 10g | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| SecurityFocus | BUGTRAQ | www.securityfocus.com | |
| SecurityReason - Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability | SREASON | securityreason.com | |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | |
| Oracle Application Server Portal Authentication Bypass Vulnerability | BID | www.securityfocus.com | Exploit |
| Oracle Application Server Portal Authentication Bypass - Secunia Advisories - Vulnerability Intelligence - Secunia.com | SECUNIA | secunia.com | |
| Oracle Application Server May Discloses Files in '/dav_portal/portal/' Directory to Remote Users - SecurityTracker | SECTRACK | www.securitytracker.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.