The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of PL/SQL Developer

vulnerability bulletin CVE-2016-2346

PL/SQL Developer: Man-in-the-Middle

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on PL/SQL Developer, in order to alter the downloaded update.
Impacted products: PL/SQL Developer.
Severity: 3/4.
Consequences: user access/rights, data creation/edition.
Provenance: internet server.
Creation date: 26/04/2016.
Identifiers: CVE-2016-2346, VIGILANCE-VUL-19463, VU#229047.

Description of the vulnerability

The PL/SQL Developer product downloads its updates from the internet.

However, the HTTP protocol is used without TLS (https).

An attacker can therefore act as a Man-in-the-Middle on PL/SQL Developer, in order to alter the downloaded update.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 10969

PL/SQL Developer: privilege elevation

Synthesis of the vulnerability

In some cases, PL/SQL Developer does not correctly process an Oracle privilege, so an attacker can obtain this privilege.
Impacted products: PL/SQL Developer.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: user shell.
Creation date: 05/09/2011.
Identifiers: BID-49467, VIGILANCE-VUL-10969.

Description of the vulnerability

An Oracle database can set administrative privileges to users:
 - Grant Any Object Privilege
 - Grant Any Role
 - Administer Resource Manager
 - etc.

In some cases, PL/SQL Developer does not correctly grant nor revoke the Administer Resource Manager privilege.

An unsecured application can this have higher privileges than intended, so an attacker can obtain this privilege.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about PL/SQL Developer: