Team SHATTER Security Advisory - Oracle Database provides the DBMS_CDC_PUBLISH PL/SQL package owned by SYS that is part of the Change Data Capture component. This package has a SQL Injection vulnerability in CREATE_CHANGE_SET procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of the SYS user.
a4826476bad8dd89e0725984586be712f1bfa2620f4faad2b0e241fb72a4af3a