Unrated severityNVD Advisory· Published Oct 17, 2023· Updated Feb 13, 2025

CVE-2023-22074

Description

Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Supported versions that are affected are 19.3-19.20 and 21.3-21.11. Easily exploitable vulnerability allows high privileged attacker having Create Session, Select Any Dictionary privilege with network access via Oracle Net to compromise Oracle Database Sharding. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Database Sharding. CVSS 3.1 Base Score 2.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

High-privileged attacker can cause partial denial of service in Oracle Database Sharding via network access.

Vulnerability

An easily exploitable vulnerability exists in the Oracle Database Sharding component of Oracle Database Server, affecting versions 19.3-19.20 and 21.3-21.11. The vulnerability requires a high-privileged attacker with Create Session and Select Any Dictionary privileges and network access via Oracle Net. Successful exploitation requires human interaction from a person other than the attacker.

Exploitation

An attacker with high privileges (Create Session, Select Any Dictionary) can exploit this vulnerability by sending specially crafted network requests to the Oracle Database Sharding component. The attack requires a victim to perform an action that triggers the vulnerable code path. According to reference [1], the exploit may also involve exposure of password hashes.

Impact

Successful exploitation results in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Database Sharding, impacting availability. The CVSS 3.1 base score is 2.4 (Availability impacts). Reference [1] suggests that password hash exposure may also occur, though the official description only cites DOS.

Mitigation

Oracle has not released a patch for this vulnerability according to the available references. Administrators should monitor Oracle's security alerts for updates. No workaround is mentioned in the references.

References

Packet Storm

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Oracle Corporation/Database Shardingllm-create
Range: >=19.3 <=19.20, >=21.3 <=21.11
Oracle Corporation/Database Serverllm-fuzzy
Oracle Corporation/Oracle Database - Enterprise Editioncpe-rescue
Range: 19.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.oracle.com/security-alerts/cpuoct2023.htmlmitrevendor-advisory
packetstormsecurity.com/files/175352/Oracle-19c-21c-Sharding-Component-Password-Hash-Exposure.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000