Positive TechnologiesPT-2020-07PT-2020-07: Arbitrary file reading in Oracle WebLogic Server
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.109 Low
EPSS
Percentile
95.0%
PT-2020-07: Arbitrary file reading in Oracle WebLogic Server
Oracle WebLogic Server
Severity:
Severity level: Medium
Impact: Arbitrary file reading in Oracle WebLogic Server
Access Vector: Remote
CVSS v3.1: Base 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE: CVE-2020-14622
Vulnerability description:
A vulnerability in Oracle WebLogic Server allows remote attackers to read local files in the context of the web server using a service URL and a specially crafted request. To exploit the vulnerability an adversary should have an administrative account. Access to the administrative panel is not required. The vulnerability can be exploited via 80 (HTTP) and 443 (HTTPS) ports providing access to resources from the Internet.
Advisory status:
April 1, 2020 - Vendor notification date
July 22, 2020 - Security advisory publication date (<https://www.oracle.com/security-alerts/cpujul2020.html>)
Credits:
The vulnerability was discovered by Arseny Sharoglazov, Positive Technologies
Related
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.109 Low
EPSS
Percentile
95.0%