#VU65486 Improper input validation in Oracle WebLogic Server - CVE-2022-24839


| Updated: 2024-03-26

Vulnerability identifier: #VU65486

Vulnerability risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-24839

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Oracle WebLogic Server
Server applications / Application servers

Vendor: Oracle

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Centralized Third Party Jars (NekoHTML) component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0

External links
http://www.oracle.com/security-alerts/cpujul2022.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Oracle Solaris Cluster
Multiple vulnerabilities in Oracle StorageTek Tape Analytics (STA)
Multiple vulnerabilities in IBM Secure Proxy
Jira Software Data Center and Server update for nekohtml
Atlassian Bitbucket Data Center and Server update for third-party software
Atlassian Confluence Data Center and Server update for third-party software
Atlassian Crowd Data Center and Server update for third-party software
Atlassian Jira Service Management Data Center and Server update for third-party software
Atlassian Bamboo Data Center and Server update for third-party applications
Two vulnerabilities in Confluence Data Center and Server