VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 6, 2001· Updated Apr 16, 2026

CVE-2001-0832

CVE-2001-0832

Description

Local users can overwrite arbitrary files in Oracle 8.0.x–9.0.1 on Unix via symlink attack or incorrect permissions in ORACLE_HOME/rdbms/log.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Local users can overwrite arbitrary files in Oracle 8.0.x–9.0.1 on Unix via symlink attack or incorrect permissions in ORACLE_HOME/rdbms/log.

Vulnerability

Oracle 8.0.x through 9.0.1 on Unix contains a vulnerability that allows local users to overwrite arbitrary files. The issue resides in the ORACLE_HOME/rdbms/log directory or an alternate directory specified by the ORACLE_HOME environment variable. The vulnerable code path is reachable due to incorrect file permissions or a symlink attack, as described in [1].

Exploitation

An attacker must have local access to the system. By manipulating the ORACLE_HOME environment variable or creating symlinks in the rdbms/log directory, a user can cause Oracle to overwrite files writable by the Oracle process. The SETUID bit on the oracle executable facilitates this. No authentication beyond local user access is required [1].

Impact

Successful exploitation allows a local user to overwrite arbitrary files on the system, potentially leading to denial of service, privilege escalation, or data corruption. The attacker gains the ability to write to files with the privileges of the Oracle process (often oracle user) [1].

Mitigation

Limit access to the ORACLE_HOME directory to database administrators only by changing permissions to 770. If ordinary users must run SQL*Plus, they should do so using client-server model, not directly on the server. Oracle released a patch for 8.1.7; for 9.0.1, patchset 2 addressed it. Removing the SETUID bit may cause functional issues [1].

References
  1. 'FW: ASI Oracle Security Alert: 3 new security alerts'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Oracle Corporation/Database Server3 versions
    cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*:*range: <=9.0.1
    • cpe:2.3:a:oracle:database_server:8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:database_server:8.1:*:*:*:*:*:*:*
  • Oracle Corporation/Oraclellm-fuzzy
    Range: >=8.0.0, <=9.0.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.