Vulnerabilities > CVE-2014-2424 - Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.7.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Unspecified vulnerability in the Oracle Event Processing component in Oracle Fusion Middleware 11.1.1.7.0 allows remote authenticated users to affect integrity via vectors related to CEP system.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description | Oracle Event Processing FileUploadServlet Arbitrary File Upload. CVE-2014-2424. Remote exploit for windows platform |
file | exploits/windows/remote/33989.rb |
id | EDB-ID:33989 |
last seen | 2016-02-03 |
modified | 2014-07-07 |
platform | windows |
port | 9002 |
published | 2014-07-07 |
reporter | metasploit |
source | https://www.exploit-db.com/download/33989/ |
title | Oracle Event Processing FileUploadServlet Arbitrary File Upload |
type | remote |
Metasploit
description | This module exploits an arbitrary file upload vulnerability in Oracle Event Processing 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be abused to upload a malicious file onto an arbitrary location due to a directory traversal flaw, and compromise the server. By default Oracle Event Processing uses a Jetty Application Server without JSP support, which limits the attack to WbemExec. The current WbemExec technique only requires arbitrary write to the file system, but at the moment the module only supports Windows 2003 SP2 or older. |
id | MSF:EXPLOIT/WINDOWS/HTTP/ORACLE_EVENT_PROCESSING_UPLOAD |
last seen | 2020-06-02 |
modified | 2017-07-24 |
published | 2014-06-29 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/oracle_event_processing_upload.rb |
title | Oracle Event Processing FileUploadServlet Arbitrary File Upload |
Packetstorm
data source | https://packetstormsecurity.com/files/download/127365/oracle_event_processing_upload.rb.txt |
id | PACKETSTORM:127365 |
last seen | 2016-12-05 |
published | 2014-07-06 |
reporter | rgod |
source | https://packetstormsecurity.com/files/127365/Oracle-Event-Processing-FileUploadServlet-Arbitrary-File-Upload.html |
title | Oracle Event Processing FileUploadServlet Arbitrary File Upload |