PT-2020-07: Arbitrary file reading in Oracle WebLogic Server

Oracle WebLogic Server

Severity:

Severity level: Medium
Impact: Arbitrary file reading in Oracle WebLogic Server
Access Vector: Remote

CVSS v3.1: Base 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVE: CVE-2020-14622

Vulnerability description:

A vulnerability in Oracle WebLogic Server allows remote attackers to read local files in the context of the web server using a service URL and a specially crafted request. To exploit the vulnerability an adversary should have an administrative account. Access to the administrative panel is not required. The vulnerability can be exploited via 80 (HTTP) and 443 (HTTPS) ports providing access to resources from the Internet.

Advisory status:

April 1, 2020 - Vendor notification date
July 22, 2020 - Security advisory publication date (https://www.oracle.com/security-alerts/cpujul2020.html)

Credits:

The vulnerability was discovered by Arseny Sharoglazov, Positive Technologies

Threatscape