The module exploits an sql injection flaw in the CREATE_CHANGE_SET procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
26ed86f78f01db48be7f14a8b9f1b9fec76717709540eee30aa0dfa68088569f
Team SHATTER Security Advisory - Oracle Database provides the DBMS_CDC_PUBLISH PL/SQL package owned by SYS that is part of the Change Data Capture component. This package has a SQL Injection vulnerability in CREATE_CHANGE_SET procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of the SYS user.
a4826476bad8dd89e0725984586be712f1bfa2620f4faad2b0e241fb72a4af3a