Summary
This host is running Oracle WebLogic Server and is prone to multiple security bypass vulnerabilities
Impact
Successful exploitation could allow attackers to execute arbitrary code under the context of the application.
Impact Level: Application
Solution
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
Insight
- Soap interface exposes the 'deleteFile' function which could allow to delete arbitrary files with administrative privileges on the target server through a directory traversal vulnerability.
- A web service called 'FlashTunnelService' which can be reached without prior authentication and processes incoming SOAP requests.
Affected
Oracle WebLogic Server version 12c (12.1.1)
References
Severity
Classification
-
CVSS Base Score: 5.7
AV:A/AC:M/Au:N/C:N/I:N/A:C
Related Vulnerabilities
- Apache Tomcat Hash Collision Denial Of Service Vulnerability
- Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability
- Apache 'Options' and 'AllowOverride' Directives Security Bypass Vulnerability
- IBM WebSphere Application Server (WAS) XSS and CSRF Vulnerabilities
- Cherokee URI Directory Traversal Vulnerability and Information Disclosure Vulnerability