Multiple vulnerabilities in Oracle WebLogic Server

1) Incorrect default permissions

EUVDB-ID: #VU50139

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8908

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for files located in the temporary directory set by the Guava com.google.common.io.Files.createTempDir(). A local user with access to the system can view contents of files and directories or modify them.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU78399

Risk: Low

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-22031

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU52651

Risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-28168

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. A local attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU78398

Risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-22040

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Input validation error

EUVDB-ID: #VU75409

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-20863

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use a specially crafted SpEL expression and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU78396

Risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-24409

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Centralized Thirdparty Jars (BSAFE SSL-J) component in Oracle WebLogic Server. A remote authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

EUVDB-ID: #VU75561

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-20860

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an input validation error caused by using the wildcard ("**") as a pattern in Spring Security configuration with the mvcRequestMatcher, which creates a mismatch in pattern matching between Spring Security and Spring MVC. A remote attacker can bypass certain security restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Code Injection

EUVDB-ID: #VU68827

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-42890

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to the application allows running Java classes via JavaScript. A remote user can use JavaScript to execute a Java class on the system and obtain its execution results.

Example:

Runtime.getRuntime().exec("xxx");

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Uncontrolled Recursion

EUVDB-ID: #VU75044

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-1370

CWE-ID: CWE-674 - Uncontrolled Recursion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Uncontrolled Recursion

EUVDB-ID: #VU75431

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-1436

CWE-ID: CWE-674 - Uncontrolled Recursion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Code Injection

EUVDB-ID: #VU77779

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-26119

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when parsing XSTL code. A remote attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0

CPE2.3

• cpe:2.3:a:oracle:oracle_weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:oracle_weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

External links

https://www.oracle.com/security-alerts/cpujul2023.html?3219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.