CVE-2020-2737: 
Oracle Database Server vulnerability analysis and mitigation

CVE-2020-2737 is a vulnerability discovered in the Core RDBMS component of Oracle Database Server. The vulnerability affects multiple versions including 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c. It was disclosed and patched as part of Oracle's April 2020 Critical Patch Update (Oracle CPU).

The vulnerability is classified as difficult to exploit and requires a high-privileged attacker with Create Session and Execute Catalog Role privileges having network access via Oracle Net. Successful exploitation requires human interaction from a person other than the attacker. The vulnerability has been assigned a CVSS v3.0 Base Score of 6.4, indicating high severity impacts on confidentiality, integrity, and availability. The CVSS Vector is (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H) (Oracle Risk Matrix).

A successful exploitation of this vulnerability can result in complete takeover of the Core RDBMS component. This means an attacker could potentially gain unauthorized access to critical database functions and data, compromising the confidentiality, integrity, and availability of the database system (Oracle Risk Matrix).

Oracle addressed this vulnerability in the April 2020 Critical Patch Update. The fix is available for all affected versions (11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c). Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible (Oracle CPU).

The vulnerability was discovered and reported by Alexander Kornbrust of Red Database Security, demonstrating ongoing security research in Oracle database systems (Oracle CPU).