Vulnerabilities > CVE-2017-10137 - Unspecified vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.3.0.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle
nessus
NVD
Published: 2017-08-08
Updated: 2019-10-03

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: JNDI). Supported versions that are affected are 10.3.6.0 and 12.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Vulnerable Configurations

Part Description Count
Application
Oracle
2

Nessus

NASL familyMisc.
NASL idORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL
descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A flaw exists in Jython due to executable classes being created with insecure permissions. A local attacker can exploit this to bypass intended access restrictions and thereby disclose sensitive information or gain elevated privileges. (CVE-2013-2027) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638) - An unspecified flaw exists in the Web Services component that allows an unauthenticated, remote attacker to have an impact on integrity and availability. (CVE-2017-10063) - An unspecified flaw exists in the Web Container component that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10123) - An unspecified flaw exists in the JNDI component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10137) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-10147) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to have an impact on integrity. (CVE-2017-10148) - An unspecified flaw exists in the Web Container component that allows an unauthenticated, remote attacker to have an impact on confidentiality and integrity. (CVE-2017-10178)
last seen2020-06-01
modified2020-06-02
plugin id101815
published2017-07-19
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/101815
titleOracle WebLogic Server Multiple Vulnerabilities (July 2017 CPU)

References