Oracle Weblogic - Path Traversal (CVE-2020-14882)
- Severity
- CVSSv3 Score
- 9.8
- Vulnerability description
Oracle Weblogic is affected by a Path Traversal vulnerability, inside the Console component of Oracle WebLogic Server. This vulnerability is caused by the improper configuration of Path Traversal blacklist of the server URL, found inside a handler class of the WebLogic HTTP access. By exploiting the vulnerability, an attacker can bypass authentication of the console component and can send commands via an MVEL expression which may potentially cause remote code execution, allowing a malicious unauthenticated attacker to execute arbitrary code on the server.
- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the Oracle Weblogic to steal confidential information, install ransomware, or pivot to the internal network.
- Recommendation
Upgrade the Oracle Weblogic to the latest version.
- References
https://nvd.nist.gov/vuln/detail/CVE-2020-14882
https://support.oracle.com/knowledge/Oracle%20Database%20Products/2733752_1.html
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- No
- Vuln date
- Oct 2020
- Published at
- Updated at
- Software Type
- Web server
- Vendor
- Oracle
- Product
- Weblogic