Unrated severityNVD Advisory· Published Sep 21, 2012· Updated Apr 29, 2026

CVE-2012-3137

Description

The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."

Affected products

Oracle Corporation/Database Server6 versions
cpe:2.3:a:oracle:database_server:10.2.0.3:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:oracle:database_server:10.2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:10.2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:10.2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:11.1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:11.2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:database_server:11.2.0.3:*:*:*:*:*:*:*
Oracle Corporation/Primavera P6 Enterprise Project Portfolio Management3 versions
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.2:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlnvdPatchVendor Advisory
www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.htmlnvdPatchVendor Advisory
www.exploit-db.com/exploits/22069nvdExploitThird Party AdvisoryVDB Entry
arstechnica.com/security/2012/09/oracle-database-stealth-password-cracking-vulnerability/nvdPress/Media Coverage
threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012nvdPress/Media Coverage
www.darkreading.com/authentication/167901072/security/application-security/240007643/attack-easily-cracks-oracle-database-passwords.htmlnvdPress/Media Coverage
www.mandriva.com/security/advisoriesnvdBroken Link
www.securityfocus.com/bid/55651nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.044
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000