Description
The Oracle WebLogic WLS-WSAT Component (versions 12.2.1.2.0 and prior) is vulnerable to a XML Deserialization remote code execution vulnerability. Malicious input passed to the XMLDecoder constructor and read functions within the WorkContextXmlInputAdapter class result in the deserialization of an arbitrary Java serialized object. Unauthenticated attackers can exploit it to remotely execute arbitrary code.
Remediation
Oracle released a Critical Patch Update that fixes this issue. To fix this vulnerability it's recommended to install the Oracle Critical Patch Update from the References section.
References
Related Vulnerabilities
Missing Authentication Check in SAP Solution Manager
WordPress Plugin WordPress Download Manager Remote Code Execution (2.7.4)
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-29212)
Ruby on Rails directory traversal vulnerability
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-29211)