Multiple vulnerabilities in Oracle Database Server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2020-36843 CVE-2024-13176 CVE-2025-30702 CVE-2025-30694 CVE-2025-30733 CVE-2025-30701 CVE-2025-30736 |
| CWE-ID | CWE-347 CWE-385 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle Database Server Server applications / Database software |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU105889
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36843
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the EdDSA implementation in affected plugin exhibits signature malleability. A remote user can create new valid signatures different from previous signatures for a known message.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Database Server: 23.4 - 23.7
CPE2.3- cpe:2.3:a:oracle:oracle_database:23.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:23.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:23.6:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?1408
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Covert Timing Channel
EUVDB-ID: #VU103600
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-13176
CWE-ID:
CWE-385 - Covert Timing Channel
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to recover a private key.
The vulnerability exists due to a timing side-channel in ECDSA signature computations. A remote attacker can recover the private key and decrypt data.
Successful exploitation of the vulnerability requires that the attacker's process must either be located in the same physical computer or must have a very fast network connection with low latency.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Database Server: 23.4 - 23.7
CPE2.3- cpe:2.3:a:oracle:oracle_database:23.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:23.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:23.6:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?1408
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU107474
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30702
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Fleet Patching & Provisioning in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Database Server: 19.3 - 19.26
CPE2.3- cpe:2.3:a:oracle:oracle_database:19.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.5:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?1408
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper input validation
EUVDB-ID: #VU107473
Risk: Medium
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30694
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the XML Database in Oracle Database Server. A remote authenticated user can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Database Server: 19.3 - 23.7
CPE2.3- cpe:2.3:a:oracle:oracle_database:19.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.5:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?1408
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper input validation
EUVDB-ID: #VU107472
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30733
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the RDBMS Listener in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Database Server: 19.3 - 23.7
CPE2.3- cpe:2.3:a:oracle:oracle_database:19.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.5:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?1408
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper input validation
EUVDB-ID: #VU107471
Risk: Medium
CVSSv4.0: 5.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30701
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the RAS Security in Oracle Database Server. A remote authenticated user can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Database Server: 19.3 - 23.7
CPE2.3- cpe:2.3:a:oracle:oracle_database:19.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.5:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?1408
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper input validation
EUVDB-ID: #VU107470
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30736
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Java VM in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Database Server: 19.3 - 23.7
CPE2.3- cpe:2.3:a:oracle:oracle_database:19.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_database:19.5:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2025.html?1408
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
