CVE-2009-1979

CVE-2009-1979 is a critical-severity vulnerability in Oracle Database Server with a CVSS 2.0 base score of 10.0. Its EPSS exploit-prediction score of 76% places it in the 99th percentile, indicating an elevated likelihood of exploitation.

Key facts

Description

Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2009 CPU. Oracle has not commented on claims from an independent researcher that this is related to improper validation of the AUTH_SESSKEY parameter length that leads to arbitrary code execution.

Frequently asked questions

What is CVE-2009-1979?
Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2009 CPU. Oracle has not commented on claims from an independent researcher that this is related to improper validation of the AUTH_SESSKEY parameter length that leads to arbitrary code execution.
How severe is CVE-2009-1979?
CVE-2009-1979 has a CVSS 2.0 base score of 10.0, rated critical severity.
Is CVE-2009-1979 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 76% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2009-1979?
CVE-2009-1979 primarily affects Oracle Database Server. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2009-1979?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2009-1979 published?
CVE-2009-1979 was published on 2009-10-22 and last updated on 2026-06-16.

References

Affected products (2)

More vulnerabilities in Oracle Database Server

All CVEs affecting Oracle Database Server →