CVE-2020-2883 CRITICAL

Published: 2020-04-15 | Last Modified: 2025-10-27 | Status: Analyzed

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Additional Descriptions (1)

Vulnerabilidad en el producto Oracle WebLogic Server de Oracle Fusion Middleware (componente: Core). Las versiones compatibles que se ven afectadas son 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 y 12.2.1.4.0. La vulnerabilidad fácilmente explotable permite que un atacante no autenticado con acceso a la red a través de IIOP, T3 comprometa el servidor Oracle WebLogic. Los ataques con éxito de esta vulnerabilidad pueden resultar en la adquisición de Oracle WebLogic Server. Puntaje base CVSS 3.0 9.8 (Confidencialidad, integridad y impactos de disponibilidad). Vector CVSS: (CVSS: 3.0 / AV: N / AC: L / PR: N / UI: N / S: U / C: H / I: H / A: H).

CVSS Metrics

Base Score: 9.8 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 5.9

Base Score: 7.5 (HIGH)

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector	NETWORK
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	PARTIAL
Integrity Impact	PARTIAL
Availability Impact	PARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 10.0

Impact Score: 6.4

Weaknesses

Source	Type	Description
[email protected]	Primary	en NVD-CWE-noinfo

Affected Products

Vendor	Product	Version	Update	Type
oracle	weblogic_server	10.3.6.0.0	<built-in method update of dict object at 0x72a9cc7e3080>	Application
oracle	weblogic_server	12.1.3.0.0	<built-in method update of dict object at 0x72a9b0dcfc80>	Application
oracle	weblogic_server	12.2.1.3.0	<built-in method update of dict object at 0x72a9b0dceec0>	Application
oracle	weblogic_server	12.2.1.4.0	<built-in method update of dict object at 0x72a9cdc84c80>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:::::::*`
Yes	`cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:::::::*`
Yes	`cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*`
Yes	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`

References

http://packetstormsecurity.com/files/157950/WebLogic-Server-Deserialization-Remote-Code-Execution.html
Source: [email protected]

Third Party Advisory VDB Entry
https://www.oracle.com/security-alerts/cpuapr2020.html
Source: [email protected]

Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-504/
Source: [email protected]

Third Party Advisory VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-20-570/
Source: [email protected]

Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/157950/WebLogic-Server-Deserialization-Remote-Code-Execution.html
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory VDB Entry
https://www.oracle.com/security-alerts/cpuapr2020.html
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-504/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-20-570/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2883
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource