SB2025012238 - Multiple vulnerabilities in Oracle WebLogic Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025012238

SB2025012238 - Multiple vulnerabilities in Oracle WebLogic Server

Published: January 22, 2025

Security Bulletin ID SB2025012238
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 50% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2024-23635)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when parsing comment tags. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of the vulnerability requires that the preserveComments directive is enabled in policy file.


2) Resource exhaustion (CVE-ID: CVE-2024-29857)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to library does not properly control consumption of internal resources when importing an EC certificate with specially crafted F2m parameters. A remote attacker can pass a specially crafted certificate to the application to trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Improper input validation (CVE-ID: CVE-2025-21549)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


4) Resource exhaustion (CVE-ID: CVE-2024-47554)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling untrusted input passed to the org.apache.commons.io.input.XmlStreamReader class. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Improper input validation (CVE-ID: CVE-2023-7272)

The vulnerability allows a remote non-authenticated attacker to a crash the entire system.

The vulnerability exists due to improper input validation within the Centralized Thirdparty Jars (Eclipse Parsson) component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to a crash the entire system.


6) Improper input validation (CVE-ID: CVE-2025-21535)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


Remediation

Install update from vendor's website.

References