Weblogic Server Security Vulnerabilities and Issues — Weblogic Server CVE List

Lucene search

BeaWeblogic Server

10 matches found

CVE•added 2005/08/16 4:0 a.m.•530 views

CVE-2004-2320

The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vuln...

5.8CVSS6.2AI score0.0694EPSS

CVE•added 2005/08/16 4:0 a.m.•46 views

CVE-2003-1220

BEA WebLogic Server proxy plugin for BEA Weblogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (proxy plugin crash) via a malformed URL.

5CVSS7AI score0.00489EPSS

CVE•added 2005/08/16 4:0 a.m.•44 views

CVE-2003-1225

The default CredentialMapper for BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores passwords in cleartext on disk, which allows local users to extract passwords.

2.1CVSS6.4AI score0.00055EPSS

CVE•added 2005/08/16 4:0 a.m.•39 views

CVE-2003-1226

BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores certain secrets concerning password encryption insecurely in config.xml, filerealm.properties, and weblogic-rar.xml, which allows local users to learn those secrets and decrypt passwords.

2.1CVSS6.5AI score0.00033EPSS

CVE•added 2005/08/16 4:0 a.m.•38 views

CVE-2003-1223

The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (Node Manager crash) via malformed data to the Node Manager's port, as demonstrated by nmap.

5CVSS7AI score0.00489EPSS

CVE•added 2005/08/16 4:0 a.m.•38 views

CVE-2003-1224

Weblogic.admin for BEA WebLogic Server and Express 7.0 and 7.0.0.1 displays the JDBCConnectionPoolRuntimeMBean password to the screen in cleartext, which allows attackers to read a user's password by physically observing ("shoulder surfing") the screen.

2.1CVSS6.6AI score0.00062EPSS

CVE•added 2005/08/16 4:0 a.m.•36 views

CVE-2004-2321

BEA WebLogic Server and Express 8.1 SP1 and earlier allows local users in the Operator role to obtain administrator passwords via MBean attributes, including (1) ServerStartMBean.Password and (2) NodeManagerMBean.CertificatePassword.

2.1CVSS6.6AI score0.00034EPSS

CVE•added 2005/08/16 4:0 a.m.•32 views

CVE-2003-1222

BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a foreign Java Message Service (JMS) provider, echoes the password for the foreign provider to the console and stores it in cleartext in config.xml, which could allow attackers to obtain the password.

5CVSS7.1AI score0.00262EPSS

CVE•added 2005/08/16 4:0 a.m.•30 views

CVE-2003-1221

BEA WebLogic Express and Server 7.0 through 8.1 SP 1, under certain circumstances when a request to use T3 over SSL (t3s) is made to the insecure T3 port, may use a non-SSL connection for the communication, which could allow attackers to sniff sessions.

5CVSS7AI score0.00383EPSS

CVE•added 2005/08/18 4:0 a.m.•29 views

CVE-2004-2424

BEA WebLogic Server and WebLogic Express 8.1 through 8.1 SP2 allow remote attackers to cause a denial of service (network port consumption) via unknown actions in HTTPS sessions, which prevents the server from releasing the network port when the session ends.

5CVSS6.7AI score0.01123EPSS