CVE-2025-50070: 
Oracle Database Server vulnerability analysis and mitigation

A vulnerability has been identified in the JDBC component of Oracle Database Server, tracked as CVE-2025-50070. The vulnerability affects Oracle Database Server versions 23.4 through 23.8. This security issue was discovered and reported by Alexander Kornbrust of Red Database Security (Oracle CPU).

The vulnerability is characterized as difficult to exploit and requires an authenticated OS user privilege with logon access to the infrastructure where JDBC executes. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.3 (Confidentiality impacts) with the following vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N. The vulnerability has been classified under CWE-284 (Improper Access Control) (NVD).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all JDBC accessible data. While the vulnerability exists in JDBC, attacks may significantly impact additional products due to scope change (Oracle CPU).

Oracle has released patches to address this vulnerability as part of the July 2025 Critical Patch Update. Organizations running affected versions (23.4-23.8) of Oracle Database Server should apply the security patches without delay. Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches as soon as possible (Oracle CPU).