CVE-2004-1338
Description
Oracle 9i and 10g default triggers allow local users to escalate privileges by injecting arbitrary PL/SQL functions via SDO_CMT_CBK_TRIG.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Oracle 9i and 10g default triggers allow local users to escalate privileges by injecting arbitrary PL/SQL functions via SDO_CMT_CBK_TRIG.
Vulnerability
In Oracle Database 9i and 10g, the default trigger SDO_CMT_CBK_TRIG owned by MDSYS fires upon DELETE operations on the SDO_TXN_IDX_INSERTS table. This trigger selects and executes a list of functions from the SDO_CMT_DBK_FN_TABLE and SDO_CMT_CBK_DML_TABLE tables. Although PUBLIC does not have direct INSERT privileges on those tables, the MDSYS package PRVT_CMT_CBK exposes procedures CCBKAPPLROWTRIG and EXEC_CBK_FN_DML that accept a schema and function name, which then get inserted into the aforementioned tables [1].
Exploitation
A local user with minimal privileges can craft a malicious PL/SQL function (or reuse an existing one owned by a privileged user). By calling CCBKAPPLROWTRIG or EXEC_CBK_FN_DML with the schema and name of that function, the attacker inserts the function reference into SDO_CMT_DBK_FN_TABLE and SDO_CMT_CBK_DML_TABLE. Subsequently, performing a DELETE on SDO_TXN_IDX_INSERTS causes the SDO_CMT_CBK_TRIG trigger to fire and execute the attacker-specified function with MDSYS privileges [1].
Impact
Upon successful execution, the attacker's arbitrary PL/SQL function runs with the elevated privileges of the trigger owner (MDSYS). This can lead to full compromise of the Oracle database, including unauthorized data access, modification, or destruction. The attack can also be leveraged to gain operating‑system level privileges if the Oracle software runs with high OS rights [1].
Mitigation
Oracle released a patch for this issue as part of the Critical Patch Update program. The vendor advisory recommends applying the relevant patch for Oracle 9i and 10g. As a workaround, revoke PUBLIC execution on the PRVT_CMT_CBK package and DELETE on SDO_TXN_IDX_INSERTS if business requirements allow. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16- cpe:2.3:a:oracle:database_server:10.2.1:r2:*:*:*:*:*:*
cpe:2.3:a:oracle:oracle9i:9.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:oracle:oracle9i:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.0.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle9i:9.2.0.2:*:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.ngssoftware.com/advisories/oracle23122004I.txtnvdPatchVendor Advisory
- marc.infonvdThird Party Advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/18655nvd
News mentions
0No linked articles in our index yet.