Vulnerability Name:

CVE-2002-2142 (CCN-10392)

Assigned:2002-10-15
Published:2002-10-15
Updated:2008-09-10
Summary:An undocumented extension for the Servlet mappings in the Servlet 2.3 specification, when upgrading to WebLogic Server and Express 7.0 Service Pack 1 from BEA WebLogic Server and Express 6.0 through 7.0.0.1, does not prepend a "/" character in certain URL patterns, which prevents the proper enforcement of role mappings and policies in applications that use the extension.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Configuration
References:Source: MITRE
Type: CNA
CVE-2002-2142

Source: BEA
Type: UNKNOWN
BEA02-22.00

Source: XF
Type: UNKNOWN
weblogic-security-policy-ignored(10392)

Source: CCN
Type: OSVDB ID: 60099
BEA WebLogic Server Servlet Mappings Undocumented Extension Policy Enforcement Bypass

Source: BID
Type: Patch
5971

Source: CCN
Type: BID-5971
BEA WebLogic Server/Express/Integration Application Migration Security Policy Weakness

Source: XF
Type: UNKNOWN
weblogic-security-policy-ignored(10392)

Source: CCN
Type: BEA Systems, Inc. Security Advisory (BEA02-22.00)
Patch available to prevent policy roles and mappings from being ignored in WebLogic Integration 7.0 or in WebLogic Server 7.0 Service Pack 1

Vulnerable Configuration:Configuration 1:
  • cpe:/a:bea:weblogic_integration:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_integration:7.0:sp1:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.0:*:express:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:6.1:*:express:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0:*:express:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_server:7.0.0.1:*:express:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:oracle:weblogic_server:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:7.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_integration:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:bea:weblogic_integration:7.0:sp1:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    bea weblogic integration 7.0
    bea weblogic integration 7.0 sp1
    bea weblogic server 6.0
    bea weblogic server 6.0
    bea weblogic server 6.1
    bea weblogic server 6.1
    bea weblogic server 7.0
    bea weblogic server 7.0
    bea weblogic server 7.0.0.1
    bea weblogic server 7.0.0.1
    oracle weblogic server 6.0
    oracle weblogic server 6.1
    oracle weblogic server 7.0
    oracle weblogic server 7.0.0.1
    bea weblogic integration 7.0
    bea weblogic integration 7.0 sp1