Team SHATTER Security Advisory – Oracle Database provides the DBMS_CDC_PUBLISH PL/SQL package owned by SYS that is part of the Change Data Capture component. This package has a SQL Injection vulnerability in DROP_CHANGE_SOURCE procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of the SYS user.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/88952/shatter-dbmscdcsql.txt
Source: https://packetstormsecurity.com/files/88952/Oracle-Database-SQL-Injection-In-DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE.html