Oracle’s new data redaction feature lets a database administrator selectively or fully redact or mask sensitive data in query results. David Litchfield, a well-known security researcher, tested the feature and found that it could be bypassed. An outside attacker also could access the redacted data via a Web-based SQL injection attack. Litchfeld: “It suggests they didn’t do an assessment on it before they shipped it. They didn’t [apparently perform] a penetration test on it””]
Source: https://www.darkreading.com/database-security/researcher-finds-flaws-in-key-oracle-security-feature