cnvd - cnvd-2020-61040

cnvd-2020-61040

Vulnerability from cnvd

Title

Oracle WebLogic Server远程代码执行漏洞（CNVD-2020-61040）

Description

Oracle Fusion Middleware（Oracle融合中间件）是美国甲骨文（Oracle）公司的一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。 Oracle WebLogic Server Oracle Fusion Middleware Console 多版本存在安全漏洞，未经身份验证的攻击者可以利用该漏洞通过HTTP访问网络，从而破坏Oracle WebLogic Server。

Severity

高

Patch Name

Oracle WebLogic Server远程代码执行漏洞（CNVD-2020-61040）的补丁

Patch Description

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法：

https://git.lsd.cat/g/pax-pwn

Impacted products

Name
['Oracle WebLogic Server 10.3.6.0.0', 'Oracle WebLogic Server 12.1.3.0.0', 'Oracle WebLogic Server 12.2.1.3.0', 'Oracle Oracle WebLogic Server 12.2.1.4.0', 'Oracle WebLogic Server 14.1.1.0.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-14750"
    }
  },
  "description": "Oracle Fusion Middleware\uff08Oracle\u878d\u5408\u4e2d\u95f4\u4ef6\uff09\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u4f01\u4e1a\u548c\u4e91\u73af\u5883\u7684\u4e1a\u52a1\u521b\u65b0\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u4e86\u4e2d\u95f4\u4ef6\u3001\u8f6f\u4ef6\u96c6\u5408\u7b49\u529f\u80fd\u3002\n\nOracle WebLogic Server Oracle Fusion Middleware Console \u591a\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP\u8bbf\u95ee\u7f51\u7edc\uff0c\u4ece\u800c\u7834\u574fOracle WebLogic Server\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\n\r\nhttps://git.lsd.cat/g/pax-pwn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-61040",
  "openTime": "2020-11-08",
  "patchDescription": "Oracle Fusion Middleware\uff08Oracle\u878d\u5408\u4e2d\u95f4\u4ef6\uff09\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u4f01\u4e1a\u548c\u4e91\u73af\u5883\u7684\u4e1a\u52a1\u521b\u65b0\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u4e86\u4e2d\u95f4\u4ef6\u3001\u8f6f\u4ef6\u96c6\u5408\u7b49\u529f\u80fd\u3002\r\n\r\nOracle WebLogic Server Oracle Fusion Middleware Console \u591a\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7HTTP\u8bbf\u95ee\u7f51\u7edc\uff0c\u4ece\u800c\u7834\u574fOracle WebLogic Server\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle WebLogic Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CNVD-2020-61040\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Oracle WebLogic Server 10.3.6.0.0",
      "Oracle WebLogic Server 12.1.3.0.0",
      "Oracle WebLogic Server 12.2.1.3.0",
      "Oracle Oracle WebLogic Server 12.2.1.4.0",
      "Oracle WebLogic Server 14.1.1.0.0"
    ]
  },
  "serverity": "\u9ad8",
  "submitTime": "2020-11-03",
  "title": "Oracle WebLogic Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CNVD-2020-61040\uff09"
}

CVE-2020-14750 (GCVE-0-2020-14750)

Vulnerability from cvelistv5

Published

2020-11-01 23:50

Modified

2025-10-21 23:35

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

Summary

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

References

URL

Tags

	https://www.oracle.com/security-alerts/alert-cve-2020-14750.html	x_refsource_MISC
	http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html	x_refsource_MISC