POC and patch for the CVE-2018-15473
Dag-Erling Smørgrav
des at FreeBSD.org
Thu Apr 25 09:46:37 UTC 2019
Brahmanand Reddy <brahma.gdb at gmail.com> writes:
> CVE-2018-15473 is a "user existence oracle bug which does not meet our
> criteria for security advisories".
>
> You mean this vulnerability which will impact/affects only for Oracle
> base? . kindly confirm.
An oracle vulnerability is a type of information disclosure bug which
does not directly expose information but can be used to confirm guesses.
In this case, the bug allows you to confirm the existence of an account
by attempting to log into it with a random password. It does not
actually give you a list of existing accounts, as “account enumeration”
would suggest.
DES
--
Dag-Erling Smørgrav - des at FreeBSD.org
More information about the freebsd-security
mailing list