CVE-2023-40571

2023-08-2521:15:08

CWE-502

[email protected]

web.nvd.nist.gov

cve-2023-40571

weblogic-framework

deserialization vulnerability

remote code execution

nvd

security

patch

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.2%

JSON

weblogic-framework is a tool for detecting weblogic vulnerabilities. Versions 0.2.3 and prior do not verify the returned data packets, and there is a deserialization vulnerability which may lead to remote code execution. When weblogic-framework gets the command echo, it directly deserializes the data returned by the server without verifying it. At the same time, the classloader loads a lot of deserialization calls. In this case, the malicious serialized data returned by the server will cause remote code execution. Version 0.2.4 contains a patch for this issue.

Affected configurations

Vulners

NVD

Node

dream0x01weblogic_frameworkRange<0.2.4

CPENameOperatorVersion
weblogic-framework_project:weblogic-frameworkweblogic-framework project weblogic-frameworklt0.2.4

CPE	Name	Operator	Version
weblogic-framework_project:weblogic-framework	weblogic-framework project weblogic-framework	lt	0.2.4

CNA Affected

[
  {
    "vendor": "dream0x01",
    "product": "weblogic-framework",
    "versions": [
      {
        "version": "< 0.2.4",
        "status": "affected"
      }
    ]
  }
]