CVE-2006-0549
Description
SQL injection vulnerability in the SYS.DBMS_METADATA_UTIL package in Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB05 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260. However, there are some inconsistencies that make this unclear, and there is also a possibility that this is related to DB06, which is subsumed by CVE-2006-0259.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Oracle Database 10g SYS.DBMS_METADATA_UTIL package allows remote attackers to execute arbitrary SQL commands.
Vulnerability
A SQL injection vulnerability exists in the SYS.DBMS_METADATA_UTIL package in Oracle Database 10g, and possibly earlier versions. The four functions LONG2VARCHAR, LONG2VCMAX, LONG2VCNT, and LONG2CLOB fail to properly sanitize user-supplied input in their col and tab parameters, allowing the injection of arbitrary SQL commands [2]. The package is accessible by users with PUBLIC privileges [3].
Exploitation
An attacker can exploit this vulnerability by sending crafted input to the vulnerable functions. No authentication is required beyond the default PUBLIC grants, meaning any user with network access to the Oracle database can attempt exploitation. The specific attack vector is unknown, but it likely involves calling one of the four functions with malicious SQL in the col or tab parameters [2][3].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the database server, potentially with elevated privileges. This could lead to unauthorized viewing, modification, or deletion of data, and in some cases, full compromise of the Oracle database [3].
Mitigation
Oracle addressed these vulnerabilities in the January 2006 Critical Patch Update (CPU) [1]. The fix involves applying the CPU patches, which modify the affected package to use dbms_assert for input validation [2]. Organizations should apply the CPU January 2006 patches to Oracle Database 10g and earlier affected versions. No workarounds are documented in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:oracle:database_server:10.1.0.5:r1:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.integrigy.com/info/IntegrigySecurityAnalysis-CPU0106.pdfnvdVendor Advisory
- www.kb.cert.org/vuls/id/629316nvdThird Party AdvisoryUS Government Resource
- www.oracle.com/technology/deploy/security/pdf/cpujan2006.htmlnvdVendor Advisory
- www.us-cert.gov/cas/techalerts/TA06-018A.htmlnvdThird Party AdvisoryUS Government Resource
- www.red-database-security.com/advisory/oracle_cpu_jan_2006.htmlnvd
- www.red-database-security.com/advisory/oracle_sql_injection_dbms_metadata_util.htmlnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/24321nvd
News mentions
0No linked articles in our index yet.