Vulnerabilities > CVE-2017-10178 - Unspecified vulnerability in Oracle Weblogic Server

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
oracle
nessus

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Container). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.1 and 12.2.1.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Nessus

NASL familyMisc.
NASL idORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL
descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A flaw exists in Jython due to executable classes being created with insecure permissions. A local attacker can exploit this to bypass intended access restrictions and thereby disclose sensitive information or gain elevated privileges. (CVE-2013-2027) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638) - An unspecified flaw exists in the Web Services component that allows an unauthenticated, remote attacker to have an impact on integrity and availability. (CVE-2017-10063) - An unspecified flaw exists in the Web Container component that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10123) - An unspecified flaw exists in the JNDI component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10137) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-10147) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to have an impact on integrity. (CVE-2017-10148) - An unspecified flaw exists in the Web Container component that allows an unauthenticated, remote attacker to have an impact on confidentiality and integrity. (CVE-2017-10178)
last seen2020-06-01
modified2020-06-02
plugin id101815
published2017-07-19
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/101815
titleOracle WebLogic Server Multiple Vulnerabilities (July 2017 CPU)