CVE-2015-0393
Description
Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a "seeded install," which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Oracle E-Business Suite AD component grants PUBLIC INDEX on DUAL during install, letting remote authenticated users escalate to SYSDBA and gain full control.
Vulnerability
An unspecified vulnerability in the Oracle Applications DBA (AD) component of Oracle E-Business Suite versions 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges [1]. According to a researcher, the root cause is that during a “seeded install,” the PUBLIC role is granted the INDEX privilege on the DUAL table [1]. The official Oracle description does not confirm this detail, but the flaw is cataloged as CVE-2015-0393.
Exploitation
An attacker needs a valid database user account authenticated to the Oracle E-Business Suite environment [1]. By leveraging the excessive INDEX privilege on the DUAL table granted to PUBLIC, the attacker can exploit the known vulnerability to escalate privileges beyond the intended scope. The exact sequence involves using the INDEX privilege to manipulate internal data structures, ultimately achieving SYSDBA privileges [1]. No user interaction beyond the initial authentication is required.
Impact
Successful exploitation allows a remote authenticated attacker to gain SYSDBA privileges, which provide complete control over the Oracle database underlying the E-Business Suite [1]. This leads to full compromise of confidentiality, integrity, and availability of the database and all hosted applications. The attacker can read, modify, or delete any data and execute arbitrary code as the database owner.
Mitigation
Oracle released a patch as part of the January 2015 Critical Patch Update (CPU) [1]. Organizations running affected versions (11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4) should apply the CPU patch immediately. No workaround has been provided other than patching. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:oracle:e-business_suite:11.5.10.2:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:oracle:e-business_suite:11.5.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.2.4:*:*:*:*:*:*:*
- Range: 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, 12.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.