Vulnerability Name: | CVE-2019-2725 (CCN-160236) | ||||||||||||
Assigned: | 2018-12-14 | ||||||||||||
Published: | 2019-04-26 | ||||||||||||
Updated: | 2022-04-27 | ||||||||||||
Summary: | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | ||||||||||||
CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.8 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
8.8 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||
Vulnerability Type: | CWE-74 | ||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2019-2725 Source: MISC Type: Third Party Advisory, VDB Entry http://packetstormsecurity.com/files/152756/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html Source: CCN Type: Oracle CVE-2019-2725 Oracle Security Alert for CVE-2019-2725 Source: MISC Type: Patch, Vendor Advisory http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html Source: CCN Type: Oracle CPUJul2019 Oracle Critical Patch Update Advisory - July 2019 Source: MISC Type: Patch, Vendor Advisory http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Source: BID Type: Broken Link 108074 Source: XF Type: UNKNOWN oracle-cve20192725-code-exec(160236) Source: CCN Type: Packet Storm Security [05-07-2019] Oracle Weblogic Server Deserialization Remote Code Execution Source: CONFIRM Type: Third Party Advisory https://support.f5.com/csp/article/K90059138 Source: CCN Type: CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY KNOWN EXPLOITED VULNERABILITIES CATALOG Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [04-30-2019] Source: EXPLOIT-DB Type: Exploit, Third Party Advisory, VDB Entry 46780 Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [05-08-2019] Source: MISC Type: Patch, Vendor Advisory https://www.oracle.com/security-alerts/alert-cve-2019-2725.html#AppendixFMW Source: CCN Type: Oracle CPUJan2020 Oracle Critical Patch Update Advisory - January 2020 Source: MISC Type: Patch, Vendor Advisory https://www.oracle.com/security-alerts/cpujan2020.html Source: CCN Type: Oracle Security Alert Advisory - CVE-2019-2725 This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server. | ||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||
BACK |