CVE-2006-3705
Description
Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB21 for Statistics and (2) DB22 for Upgrade & Downgrade. NOTE: as of 20060719, Oracle has not disputed a claim by a reliable researcher that DB21 is for a local SQL injection vulnerability in SYS.DBMS_STATS, and that DB22 is for SQL injection in SYS.DBMS_UPGRADE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Two SQL injection vulnerabilities in Oracle Database 10.1.0.5 in SYS.DBMS_STATS and SYS.DBMS_UPGRADE, fixed in CPU July 2006.
Vulnerability
Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have unknown impact and attack vectors, but a reliable researcher indicates that DB21 is a local SQL injection vulnerability in SYS.DBMS_STATS and DB22 is a SQL injection in SYS.DBMS_UPGRADE [1][2][4]. The vulnerable packages are part of Oracle 10g Release 1 (10.1.0.5).
Exploitation
For DB22 (SYS.DBMS_UPGRADE), exploitation requires the attacker to have the privilege to create a PL/SQL function [4]. Specific steps for DB21 are not disclosed, but both are SQL injection vulnerabilities that can be triggered locally.
Impact
The official description states unknown impact, but SQL injection in PL/SQL packages can lead to unauthorized data access, privilege escalation, or arbitrary code execution within the database context [1][2]. Oracle fixed these vulnerabilities in the July 2006 Critical Patch Update.
Mitigation
Apply the Oracle Critical Patch Update July 2006 patches for Oracle 10g Release 1 [3][4]. No workarounds are mentioned in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:oracle:database_server:10.1.0.5:*:*:*:*:*:*:*
- Range: =10.1.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- www.red-database-security.com/advisory/oracle_cpu_july_2006.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/19054nvdPatch
- secunia.com/advisories/21111nvdVendor Advisory
- secunia.com/advisories/21165nvdVendor Advisory
- www.vupen.com/english/advisories/2006/2863nvdVendor Advisory
- www.vupen.com/english/advisories/2006/2947nvdVendor Advisory
- www.us-cert.gov/cas/techalerts/TA06-200A.htmlnvdUS Government Resource
- lists.grok.org.uk/pipermail/full-disclosure/2006-July/047992.htmlnvd
- lists.grok.org.uk/pipermail/full-disclosure/2006-July/047993.htmlnvd
- securityreason.com/securityalert/1251nvd
- securitytracker.com/idnvd
- www.oracle.com/technetwork/topics/security/cpujul2006-101315.htmlnvd
- www.red-database-security.com/advisory/oracle_sql_injection_dbms_stats.htmlnvd
- www.red-database-security.com/advisory/oracle_sql_injection_dbms_upgrade.htmlnvd
- www.securityfocus.com/archive/1/440447/100/0/threadednvd
- www.securityfocus.com/archive/1/440453/100/0/threadednvd
- www.securityfocus.com/archive/1/440758/100/100/threadednvd
- exchange.xforce.ibmcloud.com/vulnerabilities/27886nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/27887nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/27897nvd
News mentions
0No linked articles in our index yet.