The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities:

  - An unspecified vulnerability in the Third Party Tools     (Bouncy Castle Java Library) component of Oracle WebLogic     Server. An unauthenticated attacker with network access     via HTTPS could exploit this vulnerability to compromise     Oracle WebLogic Server. A successful attack of this     vulnerability can result in unauthorized ability to cause     a hang or frequently repeatable crash (complete DOS) of     Oracle WebLogic Server. (CVE-2019-1735)

  - An unspecified vulnerability in the Console component of     Oracle WebLogic Server.  An unauthenticated attacker with     network access via HTTP could exploit this vulnerability     to compromise Oracle WebLogic Server. A successful attack     requires human interaction from a person other than the     attacker. A successful attacks of this vulnerability can     result in unauthorized ability to cause a partial denial     of service (partial DOS) of Oracle WebLogic Server.
    (CVE-2020-2519)   
  - An unspecified vulnerability in the Console component of     Oracle WebLogic Server.  An unauthenticated attacker with     network access via HTTP could exploit this vulnerability     to compromise Oracle WebLogic Server. A successful attack     requires human interaction from a person other than the     attacker. A successful attack of this vulnerability can     result in unauthorized update, insert or delete access     to some of Oracle WebLogic Server accessible data.
    (CVE-2020-2544)   
  - An unspecified vulnerability in the Application     Container - JavaEE component of Oracle WebLogic Server.
    An unauthenticated attacker with network access via T3     could exploit this vulnerability to compromise Oracle     WebLogic Server. A successful attack of this vulnerability     can result in takeover of Oracle WebLogic Server.
    (CVE-2020-2546)   
  - An unspecified vulnerability in the Console component of     Oracle WebLogic Server. A high privileged attacker with     network access via HTTP could exploit this vulnerability     to compromise Oracle WebLogic Server. A successful attack     requires human interaction from a person other than the     attacker and while the vulnerability is in Oracle WebLogic     Server, attacks may significantly impact additional     products. Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access to     some of Oracle WebLogic Server accessible data as well as     unauthorized read access to a subset of Oracle WebLogic     Server accessible data. (CVE-2020-2547)   
  - An unspecified vulnerability in the WLS Core Components     of Oracle WebLogic Server. A high privileged attacker     with network access via HTTP could exploit this     vulnerability to compromise Oracle WebLogic Server.
    A successful attack requires human interaction from a     person other than the attacker and while the vulnerability     is in Oracle WebLogic Server, attacks may significantly     impact additional products. Successful attacks of this     vulnerability can result in unauthorized update, insert or     delete access to some of Oracle WebLogic Server accessible     data as well as unauthorized read access to a subset of     Oracle WebLogic Server accessible data.
    (CVE-2020-2548)   
  - An unspecified vulnerability in the WLS Core Components     of Oracle WebLogic Server. A high privileged attacker with     network access via HTTP could exploit this vulnerability to     compromise Oracle WebLogic Server. A successful attack of this     vulnerability can result in takeover of Oracle WebLogic Server.
    (CVE-2020-2549)   
  - An unspecified vulnerability in the WLS Core Components     of Oracle WebLogic Server. A high privileged attacker with     logon to the infrastructure where Oracle WebLogic Server     executes could exploit this vulnerability to compromise     racle WebLogic Server. A successful attack of this     vulnerability can result in unauthorized access to critical     data or complete access to all Oracle WebLogic Server     accessible data.
    (CVE-2020-2550)   
  - An unspecified vulnerability in the WLS Core Components of     Oracle WebLogic Server. An unauthenticated attacker with     network access via IIOP could exploit this vulnerability to     compromise Oracle WebLogic Server. A successful attack of this     vulnerability can result in takeover of Oracle WebLogic Server.
    (CVE-2020-2551)   
  - An unspecified vulnerability in the WLS Core Components of     Oracle WebLogic Server. A high privileged attacker with     network access via HTTP could exploit this vulnerability     to compromise Oracle WebLogic Server. A successful attack     requires human interaction from a person other than the     attacker and while the vulnerability is in Oracle     WebLogic Server, attacks may significantly impact     additional products. A successful attack of this     vulnerability can result in unauthorized update,     insert or delete access to some of Oracle WebLogic     Server accessible data as well as unauthorized read     access to a subset of Oracle WebLogic Server accessible     data. (CVE-2020-2552)   
  - An unspecified vulnerability in the Web Container     (JavaServer Faces) Components of Oracle WebLogic Server.
    An unauthenticated attacker with network access via     HTTP could exploit this vulnerability to compromise     Oracle WebLogic Server. A successful attack of this     vulnerability can result in unauthorized access to     critical data or complete access to all Oracle WebLogic     Server accessible data. (CVE-2020-6950)

Detections

Analytics

Oracle WebLogic Server Multiple Vulnerabilities (Jan 2020 CPU)

critical Nessus Plugin ID 132961

Version 1.9

Version 1.8

Version 1.8

Version 1.9 Nov 17, 2023, 1:46 AM CISA reference CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202311170146
Version 1.8 Dec 6, 2022, 2:54 AM Reference Plugin Feed: 202212060254
Version 1.8 Nov 16, 2023, 11:33 PM CISA reference CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202311162333