Oracle WebLogic - Local File Inclusion (CVE-2022-21371)

Severity

CVE

CVE-2022-21371

CVSSv3 Score

7.5

Exploitable with Sniper

Vulnerability description

Oracle Weblogic is affected a Local File Inclusion vulnerability, inside the Console component,located in the /WEB-INF/weblogic.xml, //WEB-INF/web.xml, /META-INF/FEST.MF and /WEB-INF/portlet.xml endpoints. This allows attackers to read sensitive information from the target system by sending a special crafted HTTP GET request to the vulnerable endpoint.

Risk description

The risk exists that a remote unauthenticated attacker could exploit this vulnerability to read sensitive information from arbitrary files located on the file system of the server.

Recommendation

Upgrade the Oracle WebLogic to the latest version.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-21371

https://www.oracle.com/security-alerts/cpujan2022.html

Detectable with

Network Scanner

Vuln date

Jan 2022

Published

May 2022

Updated

May 2022

Software Type

Web server

Vendor

Oracle

Product

WebLogic

Codename