Oracle Database QIDs - Confirmed vs Potential
The severity of a database QID is decided by authentication status of the scan. Depending on the various outcomes of the authentication status, the QID could be reported as potential (yellow) or confirmed (red) in the report.
Consider authenticated scan of the Oracle database. If the authentication is successful and the vulnerability is detected, the severity for the QID would be reported as confirmed (red). In case of unsuccessful authentication, it would be reported as potential (yellow) vulnerability.
The following table outlines the various possibilities of the two factors that decide the severity of the database QIDs and accordingly the severity of the QID.
Authentication Type/Status |
QID Severity Reported |
Remote Scan - No Authentication |
POTENTIAL (yellow) |
Internal Scan - No Authentication |
POTENTIAL (yellow) |
OS Authentication Failed |
POTENTIAL (yellow) |
OS Authentication Successful |
POTENTIAL (yellow) |
Database Authentication Failed |
POTENTIAL (yellow) |
Database Authentication Successful |
CONFIRMED (red) |
OS and Database Authentication Successful |
CONFIRMED (red) - since DB Auth Successful |
To evaluate whether patches present or not you need to use OS and Oracle DB authentication. When both authentication types are used and when authentication is successful during the scan, the vulnerability is reported as Confirmed (red) if patch not present.