Detections
Analytics
Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.4.0 / 14.1.1.0.0 Authentication Bypass
critical Web App Scanning Plugin ID 112705
Language:
Synopsis
Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.4.0 / 14.1.1.0.0 Authentication BypassDescription
Oracle Weblogic versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.4.0 & 14.1.1.0.0 suffer from a weakness allowing to bypass authentication and to access the management panel due to a bad character management %252e (".") & %252f ("/").In some cases, exploiting this vulnerability can lead to the execution of arbitrary code on the server.
Oracle proposes the associated patches on its site to fix the vulnerability.
Solution
Apply the security patches available on Oracle's website.See Also
https://www.oracle.com/security-alerts/cpuoct2020traditional.html
Plugin Details
Severity: Critical
ID: 112705
Type: remote
Family: Component Vulnerability
Published: 2/22/2021
Updated: 2/21/2024
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Critical
Score: 9.2
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2020-14882
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2020-14750
Vulnerability Information
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 10/21/2020
CISA Known Exploited Vulnerability Due Dates: 5/3/2022
Reference Information
CVE: CVE-2020-14750, CVE-2020-14882
OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A5, 2017-A8, 2017-A9, 2021-A1, 2021-A6, 2021-A8
WASC: Improper Input Handling, Path Traversal
CAPEC: 126, 586, 64, 76, 78, 79
DISA STIG: APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10, sp800_53-SI-10(5)
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-12.3.1, 4.0.2-14.2.1, 4.0.2-5.5.1