CVE-2008-0901

critical

Description

BEA WebLogic Server and Express 7.0 through 10.0 allows remote attackers to conduct brute force password guessing attacks, even when account lockout has been activated, via crafted URLs that indicate whether a guessed password is successful or not.

References

http://www.vupen.com/english/advisories/2008/0612/references

http://www.securitytracker.com/id?1019449

http://www.securityfocus.com/archive/1/488686/100/0/threaded

http://www.s21sec.com/avisos/s21sec-040-en.txt

http://secunia.com/advisories/29041

http://dev2dev.bea.com/pub/advisory/271

Details

Source: Mitre, NVD

Published: 2008-02-22

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 7.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00487