Description

Universal Description Discovery and Integration (UDDI) application is publicly available on this WebLogic server. The SearchPublicRegistries.jsp page can be abused by unauthenticated attackers to cause the WebLogic web server to connect to an arbitrary TCP port of an arbitrary host. Responses returned are fairly verbose and can be used to infer whether a service is listening on the port specified. This vulnerability affects Oracle Fusion Middleware 10.0.2, 10.3.6.

Remediation

Apply the Oracle Critical Patch Update Advisory from July 2014 or restrict access to the UDDI application.

References

WebLogic SSRF And XSS (CVE-2014-4241, CVE-2014-4210, CVE-2014-4242)

Oracle Critical Patch Update Advisory - July 2014

Related Vulnerabilities

WordPress Plugin SoundCloud Is Gold 'width' Parameter Cross-Site Scripting (2.1)

WordPress Plugin Nextend Facebook Connect Cross-Site Scripting (1.5.5)

WordPress Plugin Essential Addons for Elementor Cross-Site Scripting (5.0.8)

WordPress Plugin MP3 Audio Player for Music, Radio & Podcast by Sonaar Cross-Site Scripting (3.0.1)

WordPress Plugin Code Insert Manager (Q2W3 Inc Manager) ZeroClipboard Cross-Site Scripting (2.3.1)

Severity

High

Classification

CVE-2014-4241 CVE-2014-4210 CVE-2014-4242 CWE-918 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

SSRF XSS