DerScanner
Home / Vulnerability Database / PL or SQL : Cursor snarfing
PL/SQL

PL or SQL : Cursor snarfing

Classification

OWASP Top 10 2017
A5-Broken Access Control
OWASP Top 10 2021
A1-Broken Access Control
HIPAA
§164.312 (a)(1)
CWE
CWE-404CWE-619

Overview

Cursor snarfing is possible. The application fails to release an opened cursor.

Every cursor is associated with the privileges of the user who created it. If a user with less privileges captures the unreleased cursor, it can be used to gain unauthorized access to valuable data.

References

  1. CWE-404: Improper Resource Shutdown or Release
  2. CWE-619: Dangling Database Cursor (‘Cursor Injection’)
  3. Dangling Cursor Snarfing: A New Class of Attack in Oracle - David Litchfield (pdf)
  4. OWASP Top 10 2017-A5-Broken Access Control
MEDIUM

DerScanner Severity Score

Do you want to fix PL or SQL : Cursor snarfing in your application?

See also

PL/SQL

PL or SQL : Open redirect

PL/SQL

PL or SQL : Cross-site scripting (XSS)

PL/SQL

PL or SQL : Weak hashing algorithm