Oracle WebLogic - Local File Inclusion (CVE-2022-21371)

Severity
CVSSv3 Score: 7.5
CVE: CVE-2022-21371

Vulnerability description

Oracle Weblogic is affected a Local File Inclusion vulnerability, inside the Console component,located in the /WEB-INF/weblogic.xml, //WEB-INF/web.xml, /META-INF/FEST.MF and /WEB-INF/portlet.xml endpoints. This allows attackers to read sensitive information from the target system by sending a special crafted HTTP GET request to the vulnerable endpoint.

Risk description

The risk exists that a remote unauthenticated attacker could exploit this vulnerability to read sensitive information from arbitrary files located on the file system of the server.

Recommendation

Upgrade the Oracle WebLogic to the latest version.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-21371

https://www.oracle.com/security-alerts/cpujan2022.html

Codename

Detectable with: Network Scanner
Exploitable with Sniper: No
Vuln date: Jan 2022
Published at: May 2022
Updated at: May 2022
Software Type: Web server
Vendor: Oracle
Product: WebLogic