Allround Automations PL/SQL Developer < HTTP Insecure Update RCE

Medium Nessus Plugin ID 90797


The application installed on the remote host is affected by a remote code execution vulnerability.


The version of Allround Automations PL/SQL Developer installed on the remote host is prior to It is, therefore, affected by a remote code execution vulnerability due to a failure to properly verify the origin or authenticity of update data sent via HTTP. A man-in-the-middle attacker can exploit this to modify the client-server data stream to change the update, allowing the execution of arbitrary code.


Upgrade to PL/SQL Developer version or later.

Plugin Details

Severity: Medium

ID: 90797

File Name: plsql_developer_11_0_6.nasl

Version: $Revision: 1.3 $

Type: local

Agent: windows

Family: Windows

Published: 2016/04/29

Modified: 2016/05/03

Dependencies: 90798

Risk Information

Risk Factor: Medium


Base Score: 5.8

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:allroundautomation:pl%2fsql_developer

Required KB Items: SMB/Registry/Enumerated, installed_sw/PL_SQL Developer

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/04/25

Vulnerability Publication Date: 2016/04/25

Reference Information

CVE: CVE-2016-2346

BID: 87615

OSVDB: 137574

CERT: 229047

IAVA: 2016-A-0112