CVE-2021-2054
Description
Vulnerability in the RDBMS Sharding component of Oracle Database Server. Supported versions that are affected are 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any Procedure, Create Any View, Create Any Trigger privilege with network access via Oracle Net to compromise RDBMS Sharding. Successful attacks of this vulnerability can result in takeover of RDBMS Sharding. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
High-privileged attacker with network access can exploit improper privilege checks in Oracle RDBMS Sharding stored procedures to take over the component.
Vulnerability
An improper privilege management vulnerability exists in the RDBMS Sharding component of Oracle Database Server, affecting versions 12.2.0.1, 18c, and 19c. The flaw resides within the execution of stored procedures, where the process does not properly verify the caller's privileges [1]. An attacker must have high privileges (Create Any Procedure, Create Any View, or Create Any Trigger) and network access via Oracle Net to reach the vulnerable code path.
Exploitation
An attacker with high privileges and network access can exploit this flaw by executing a specially crafted stored procedure that bypasses privilege checks [1]. The ZDI advisory notes that authentication is required and the attack complexity is low, requiring no user interaction [1]. The specific sequence involves invoking a malicious or manipulated procedure that leverages the insufficient privilege validation to gain unauthorized access to resources.
Impact
Successful exploitation results in a complete takeover of RDBMS Sharding, with high impacts on confidentiality, integrity, and availability (CVSS 3.1 Base Score 7.2, vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) [1]. The attacker gains the ability to read, modify, or destroy sensitive shard data and potentially compromise the entire sharded database environment.
Mitigation
Oracle released a security patch for this vulnerability in its Critical Patch Update for January 2021. Affected users should apply the patch for their respective Oracle Database versions (12.2.0.1, 18c, 19c) as soon as possible. No workarounds are provided; patching is the only mitigation [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 12.2.0.1, 18c, 19c
- Range: 12.2.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.oracle.com/security-alerts/cpujan2021.htmlmitrex_refsource_MISC
- www.zerodayinitiative.com/advisories/ZDI-21-083/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.