CVE-2007-2699 - The Administration Console in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not properly

CVE-2007-2699

Summary

The Administration Console in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not properly enforce certain Domain Security Policies, which allows remote administrative users in the Deployer role to upload arbitrary files.

References

Vulnerable Configurations

cpe:2.3:a:bea:weblogic_server:9.0:*:*:*:*:*:*:*
cpe:2.3:a:bea:weblogic_server:9.0:*:*:*:*:*:*:*
cpe:2.3:a:bea:weblogic_server:9.0:*:express:*:*:*:*:*
cpe:2.3:a:bea:weblogic_server:9.0:*:express:*:*:*:*:*
cpe:2.3:a:bea:weblogic_server:9.1:*:*:*:*:*:*:*
cpe:2.3:a:bea:weblogic_server:9.1:*:*:*:*:*:*:*
cpe:2.3:a:bea:weblogic_server:9.1:*:express:*:*:*:*:*
cpe:2.3:a:bea:weblogic_server:9.1:*:express:*:*:*:*:*

CVSS

Base:	7.1 (as of 28-05-2019 - 17:29)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	SINGLE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:H/Au:S/C:C/I:C/A:C

refmap via4

bea	BEA07-164.00
misc	http://packetstormsecurity.com/files/153072/Oracle-Application-Testing-Suite-WebLogic-Server-Administration-Console-War-Deployment.html
osvdb	36069
sectrack	1018057
secunia	25284
vupen	ADV-2007-1815
xf	weblogic-adminconsole-insecure-permissions(34289)

Last major update

28-05-2019 - 17:29

Published

16-05-2007 - 01:19

Last modified

28-05-2019 - 17:29