CVE-2023-22071: 
Oracle Database Server vulnerability analysis and mitigation

CVE-2023-22071 is a vulnerability in the PL/SQL component of Oracle Database Server affecting versions 19.3-19.20 and 21.3-21.11. This easily exploitable vulnerability allows high-privileged attackers with Create Session and Execute on sys.utl_http privileges to compromise PL/SQL through Oracle Net access. The vulnerability was disclosed in Oracle's October 2023 Critical Patch Update (Oracle CPU).

The vulnerability has a CVSS 3.1 Base Score of 5.9 (Medium severity) with the vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The attack requires network access via Oracle Net and high privileges including Create Session and Execute on sys.utl_http. Successful exploitation requires human interaction from someone other than the attacker (Oracle CPU).

Successful exploitation can result in unauthorized update, insert or delete access to some PL/SQL accessible data, unauthorized read access to a subset of PL/SQL accessible data, and unauthorized ability to cause a partial denial of service of PL/SQL. The vulnerability has the potential to significantly impact additional products beyond PL/SQL due to scope change (Oracle CPU).

Oracle has released security patches for this vulnerability as part of the October 2023 Critical Patch Update. Organizations should apply these patches to affected Oracle Database Server versions 19.3-19.20 and 21.3-21.11. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible (Oracle CPU).