CVE-2019-25653
Buffer Overflow in Navicat for Oracle 12.1.15 Causes DoS
Publication date: 2026-03-30
Last updated on: 2026-04-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| navicat | navicat_for_oracle | to 12.1.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-620 | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a denial of service (DoS) issue in Navicat for Oracle version 12.1.15. It allows local attackers to crash the application by entering an excessively long string into the password field during Oracle connection configuration.
Specifically, an attacker can paste a buffer of 550 repeated characters into the password parameter, which triggers the application to crash due to improper handling of the input length.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service condition where the Navicat for Oracle application crashes when the password field receives an excessively long input.
This crash can disrupt database management activities, potentially causing downtime or loss of productivity for users relying on the application.
Since the attack requires local access and no privileges or user interaction, it could be exploited by a local attacker to interrupt service availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the denial of service condition on Navicat for Oracle 12.1.15 by supplying an excessively long string in the password field during Oracle connection configuration.
A proof of concept involves generating a payload of 550 repeated characters (e.g., "A" characters) and pasting it into the password field of the Oracle connection setup in Navicat. If the application crashes, the vulnerability is present.
- Run a Python script to generate a payload of 550 "A" characters.
- Copy the generated payload to the clipboard.
- Open Navicat for Oracle 12.1.15 and create a new Oracle connection.
- Paste the payload into the password field.
- Attempt to connect and observe if the application crashes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of Navicat for Oracle version 12.1.15 or earlier until a patch or update is available.
Do not allow untrusted local users to access the system or configure Oracle connections using Navicat, as the vulnerability requires local access.
Monitor for application crashes related to password input and restrict local user permissions to prevent exploitation.
Check for updates or newer versions of Navicat for Oracle that address this vulnerability and apply them as soon as possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.