WebLogic Server Encoded Request Directory Listing

medium Nessus Plugin ID 10698

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

The version of WebLogic Server running on the remote host is affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, via a crafted request, to display a listing of an arbitrary directory, which may contain sensitive files.

Note that this installation may also be affected by a flaw that allows an attacker to view the source code of JSP files; however, Nessus has not tested for this issue.

Solution

Contact the vendor for an appropriate patch

See Also

https://seclists.org/bugtraq/2001/Mar/402

Plugin Details

Severity: Medium

ID: 10698

File Name: weblogic_percent.nasl

Version: 1.46

Type: remote

Family: Web Servers

Published: 2/16/2016

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score based on analysis of the vulnerability.

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: manual

Vulnerability Information

CPE: cpe:/a:oracle:weblogic_server

Required KB Items: www/weblogic

Exploit Available: true

Exploit Ease: No exploit is required

Exploited by Nessus: true

Vulnerability Publication Date: 3/27/2001

Reference Information

BID: 2513