Strix
26.1K

CVE-2004-1362

UnknownEPSS 9.05%

Last modified

CVE-2004-1362 is a vulnerability of currently unknown severity. The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters.. EPSS estimates a 9.05% chance of exploitation in the next 30 days.

Description

The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters.

Metrics

EPSS Probability
9.05%

94.6th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
OracleApplication ServerAll versions
OracleApplication Server9.0.2
OracleApplication Server9.0.2.0.0
OracleApplication Server9.0.2.0.1
OracleApplication Server9.0.2.1
OracleApplication Server9.0.2.2
OracleApplication Server9.0.2.3
OracleApplication Server9.0.3
OracleApplication Server9.0.3.1
OracleApplication Server9.0.4
OracleApplication Server9.0.4.0
OracleApplication Server9.0.4.1
OracleCollaboration Suiterelease_1
OracleE-Business Suite11.5.1
OracleE-Business Suite11.5.2
OracleE-Business Suite11.5.3
OracleE-Business Suite11.5.4
OracleE-Business Suite11.5.5
OracleE-Business Suite11.5.6
OracleE-Business Suite11.5.7
OracleE-Business Suite11.5.8
OracleE-Business Suite11.5.9
OracleEnterprise Manager9
OracleEnterprise Manager9.0.1
OracleEnterprise Manager Database Control10.1.2
OracleEnterprise Manager Grid Control10.1.0.2
OracleOracle10genterprise_9.0.4_.0
OracleOracle10genterprise_10.1.0.2
OracleOracle10gpersonal_9.0.4_.0
OracleOracle10gpersonal_10.1_.0.2
OracleOracle10gstandard_9.0.4_.0
OracleOracle10gstandard_10.1_.0.2
OracleOracle8ienterprise_8.0.5_.0.0
OracleOracle8ienterprise_8.0.6_.0.0
OracleOracle8ienterprise_8.0.6_.0.1
OracleOracle8ienterprise_8.1.5_.0.0
OracleOracle8ienterprise_8.1.5_.0.2
OracleOracle8ienterprise_8.1.5_.1.0
OracleOracle8ienterprise_8.1.6_.0.0
OracleOracle8ienterprise_8.1.6_.1.0
OracleOracle8ienterprise_8.1.7_.0.0
OracleOracle8ienterprise_8.1.7_.1.0
OracleOracle8ienterprise_8.1.7_.4
OracleOracle8istandard_8.0.6
OracleOracle8istandard_8.0.6_.3
OracleOracle8istandard_8.1.5
OracleOracle8istandard_8.1.6
OracleOracle8istandard_8.1.7
OracleOracle8istandard_8.1.7_.0.0
OracleOracle8istandard_8.1.7_.1

Showing 50 of 87 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2004-1362?
The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters.
How severe is CVE-2004-1362?
Severity scoring for CVE-2004-1362 is pending analysis. The EPSS model estimates a 9.05% probability of exploitation in the next 30 days.
How do I fix CVE-2004-1362?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2004-1362?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST