PT-2020-07: Arbitrary file reading in Oracle WebLogic Server

MEDIUM

(4.9) CVSS:3.1AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

THREATSCAPE

Analytics articles

What are the security threats on your network?

Check your traffic-for free

Request pilot

Vulnerable product:

Oracle WebLogic Server

Severity:

Severity level: Medium
Impact: Arbitrary file reading in Oracle WebLogic Server
Access Vector: Remote

CVSS v3.1: Base 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVE: CVE-2020-14622

Vulnerability description:

A vulnerability in Oracle WebLogic Server allows remote attackers to read local files in the context of the web server using a service URL and a specially crafted request. To exploit the vulnerability an adversary should have an administrative account. Access to the administrative panel is not required. The vulnerability can be exploited via 80 (HTTP) and 443 (HTTPS) ports providing access to resources from the Internet.

Advisory status:

April 1, 2020 - Vendor notification date
July 22, 2020 - Security advisory publication date (https://www.oracle.com/security-alerts/cpujul2020.html)

Credits:

The vulnerability was discovered by Arseny Sharoglazov, Positive Technologies

Identifier:

CVE-2020-14622

Vendor:

Oracle

Vulnerable product:

Oracle WebLogic Server

Get in touch

Fill in the form and our specialists
will contact you shortly

General
questions

We're happy to answer any questions you may have.

Partnership

Join us in making the world a safer place.

Pilot
application

Test drive our solutions with a customized pilot program.