A critical SQL injection flaw in the Oracle RemoteControl API allows authenticated attackers to manipulate backend database queries via improper input handling.

The vulnerability exists in the TokenDynamic::findUninvited() function, where caller-supplied token-ID arrays are concatenated directly into SQL strings without proper sanitization.

With a CVSS score of 8.8, this vulnerability poses a high risk of unauthorized data exposure or manipulation. Exploitation could allow an authenticated attacker to extract sensitive information from the database or compromise the integrity of the application's data layer.

Immediate Action: Apply the relevant security patches released by Oracle to address the input validation flaw in the RemoteControl API.

Proactive Monitoring: Monitor database query logs for unusual syntax or unexpected input patterns originating from the RemoteControl API endpoints.

Compensating Controls: Utilize a WAF to inspect and block malicious input strings targeting the affected API methods until a patch is applied.

Public Exploit Available: false

Organizations utilizing Oracle products with the RemoteControl API must verify if their specific product version is impacted and apply the necessary patches. Given the potential for data compromise, immediate action is required to secure the database interface.