CVE-2021-2175: 
Oracle Database Server vulnerability analysis and mitigation

CVE-2021-2175 is a vulnerability discovered in the Database Vault component of Oracle Database Server, affecting versions 12.1.0.2, 12.2.0.1, 18c, and 19c. The vulnerability was disclosed and patched in April 2021. This security issue allows high-privileged attackers with Create Any View and Select Any View privileges to access unauthorized data through Oracle Net (Oracle CPU).

The vulnerability is characterized by a CVSS 3.1 Base Score of 2.7 (Low severity) with the vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. The exploit requires network access via Oracle Net and high privileges, specifically Create Any View and Select Any View permissions. The vulnerability allows attackers to bypass Database Vault restrictions and view metadata about security configurations that should be restricted (NVD, Database Security Ninja).

Successful exploitation of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data. Specifically, attackers can view sensitive metadata about Database Vault security configurations, which could expose information about security measures and data protection configurations (Oracle CPU).

Oracle has released patches for this vulnerability in the April 2021 Critical Patch Update. Organizations should update affected Oracle Database Server versions (12.1.0.2, 12.2.0.1, 18c, and 19c) to the patched versions. The fix prevents unauthorized access to Database Vault metadata through view creation (Oracle CPU).

The vulnerability was reported by Emad Al-Mousa of Saudi Aramco, demonstrating ongoing security research in database security. The relatively low CVSS score and high privilege requirement may have contributed to limited public discussion (Oracle CPU).