LOWCVE-2020-2731CVSS 3.9

Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows low privileged at

wordt vertaald…

Platform

oracle

Component

core-rdbms

Opgelost in

12.1.1

12.2.1

18.0.1

19.0.1

AI Confidence: highNVDEPSS 0.1%Beoordeeld: mei 2026

Bekijk op NVD

Opslaan

Wordt vertaald naar uw taal…

CVE-2020-2731 is a vulnerability affecting the Core RDBMS component of Oracle Database Server. This easily exploitable flaw allows a low-privileged attacker with local logon access to potentially compromise the RDBMS, resulting in unauthorized data manipulation and a partial denial of service. The vulnerability impacts Oracle Database Server versions 12.1.0.2, 12.2.0.1, 18c, and 19c, and a fix is available in version 19.0.1.

Impact en Aanvalsscenarioswordt vertaald…

Successful exploitation of CVE-2020-2731 allows an attacker with local logon privileges to gain unauthorized access to Core RDBMS data. This could manifest as unauthorized updates, insertions, or deletions of data within the database. The vulnerability also presents a risk of partial denial of service, potentially disrupting critical database operations. The ease of exploitation, combined with the potential for data compromise, makes this a concerning vulnerability, particularly in environments with sensitive data.

Uitbuitingscontextwordt vertaald…

CVE-2020-2731 was publicly disclosed on January 15, 2020. While the CVSS score is LOW (3.9), the ease of exploitation and potential for data compromise warrant attention. There are no known active campaigns targeting this specific vulnerability, and no public proof-of-concept exploits have been widely reported. This CVE is tracked by CISA and included in the KEV catalog.

Wie Loopt Risicowordt vertaald…

Organizations running Oracle Database Server versions 12.1.0.2, 12.2.0.1, 18c, and 19c are at risk, particularly those with lax local logon controls or environments where local accounts have excessive privileges. Shared hosting environments utilizing these versions are also at increased risk due to the potential for cross-tenant exploitation.

Detectiestappenwordt vertaald…

• linux / server:

journalctl -u oracle-db | grep -i "error" -i "exception"

• oracle:

SELECT * FROM v$version WHERE version LIKE '12.1.0.2%' OR version LIKE '12.2.0.1%' OR version LIKE '18c%' OR version LIKE '19c%';

• generic web: Review Oracle database server access logs for unusual login attempts or database modification activity originating from local hosts.

Aanvalstijdlijn

2020-01-15Disclosure
disclosure
2020-01-15Patch
patch

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend

CISA KEVNO

InternetblootstellingLaag

EPSS

0.13% (33% percentiel)

CVSS-vector

Wat betekenen deze metrics?

Attack Vector: Lokaal — aanvaller heeft een lokale sessie of shell op het systeem nodig.
Attack Complexity: Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required: Laag — elk geldig gebruikersaccount is voldoende.
User Interaction: Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
Scope: Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality: Geen — geen vertrouwelijkheidsimpact.
Integrity: Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
Availability: Laag — gedeeltelijke of intermitterende denial of service.

Getroffen Software

Componentcore-rdbms

LeverancierOracle Corporation

Getroffen bereikOpgelost in

12.1.0.2 – 12.1.0.212.1.1

12.2.0.1 – 12.2.0.112.2.1

18c – 18c18.0.1

19c – 19c19.0.1

Tijdlijn

Gereserveerd2019-12-10
Gepubliceerd2020-01-15
Gewijzigd2024-09-30
EPSS bijgewerkt2026-04-02

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2020-2731 is to upgrade to Oracle Database Server version 19.0.1 or later. If an immediate upgrade is not feasible, consider restricting local logon privileges to the minimum necessary for users. Implementing robust access controls and monitoring database activity can help detect and prevent unauthorized access. While a direct workaround isn't available, regular security audits and patching are crucial for maintaining a secure database environment. After upgrading, verify the fix by attempting to reproduce the vulnerability with the original exploit steps and confirming that access is denied.

Hoe te verhelpenwordt vertaald…

Aplique el parche proporcionado por Oracle en el CPU de enero de 2020 para solucionar la vulnerabilidad en el componente Core RDBMS. Consulte el advisory de seguridad de Oracle para obtener más detalles e instrucciones específicas sobre la aplicación del parche.

CVE Beveiligingsnieuwsbrief

Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.

Veelgestelde vragenwordt vertaald…

What is CVE-2020-2731 — RDBMS Vulnerability in Oracle Database Server?

CVE-2020-2731 is a LOW severity vulnerability in Oracle Database Server allowing local attackers to potentially compromise the RDBMS and modify data.

Am I affected by CVE-2020-2731 in Oracle Database Server?

You are affected if you are running Oracle Database Server versions 12.1.0.2, 12.2.0.1, 18c, or 19c and have not upgraded.

How do I fix CVE-2020-2731 in Oracle Database Server?

Upgrade to Oracle Database Server version 19.0.1 or later to remediate the vulnerability. Restrict local logon privileges as an interim measure.

Is CVE-2020-2731 being actively exploited?

There are no known active campaigns targeting this specific vulnerability, but the ease of exploitation warrants attention.

Where can I find the official Oracle advisory for CVE-2020-2731?

Refer to the Oracle Security Alert for CVE-2020-2731: https://www.oracle.com/security-alerts/cpuapr2020.html

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannen CVEs zoeken