Vulnerability Details : CVE-2004-2320

The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.

Vulnerability category: Cross site scripting (XSS)Information leak

Published 2004-12-31 05:00:00

Updated 2017-07-11 01:31:48

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2004-2320

Probability of exploitation activity in the next 30 days: 0.56%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 75 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2004-2320

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	nvd@nist.gov
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2004-2320

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2004-2320

Red Hat 2008-03-05

The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required. For more information please see: http://www.apacheweek.com/issues/03-01-24#news

References for CVE-2004-2320

http://www.kb.cert.org/vuls/id/867593

VU#867593 - Web servers enable HTTP TRACE method by default
Third Party Advisory;US Government Resource

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/14959
http://www.securitytracker.com/alerts/2004/Jan/1008866.html

Patch
http://dev2dev.bea.com/pub/advisory/68

Patch;Vendor Advisory
http://www.securityfocus.com/bid/9506

WebLogic Server and Express HTTP TRACE Credential Theft Vulnerability
Patch

Products affected by CVE-2004-2320

BEA » Weblogic Server » Version: 5.1 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:*:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp11 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp11:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP2 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp2:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP9 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp9:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP1 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp1:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp10 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp10:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP4 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp4:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP5 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp5:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP6 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp6:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP7 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp7:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp12 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp12:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP3 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp3:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP8 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp8:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP1
cpe:2.3:a:bea:weblogic_server:5.1:sp1:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP5
cpe:2.3:a:bea:weblogic_server:5.1:sp5:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP2
cpe:2.3:a:bea:weblogic_server:5.1:sp2:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP6
cpe:2.3:a:bea:weblogic_server:5.1:sp6:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP4
cpe:2.3:a:bea:weblogic_server:5.1:sp4:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP3
cpe:2.3:a:bea:weblogic_server:5.1:sp3:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1
cpe:2.3:a:bea:weblogic_server:6.1:*:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP1
cpe:2.3:a:bea:weblogic_server:6.1:sp1:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP1 Express Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp1:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP2 Express Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp2:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Express Edition
cpe:2.3:a:bea:weblogic_server:6.1:*:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp10
cpe:2.3:a:bea:weblogic_server:5.1:sp10:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp12
cpe:2.3:a:bea:weblogic_server:5.1:sp12:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP8
cpe:2.3:a:bea:weblogic_server:5.1:sp8:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP9
cpe:2.3:a:bea:weblogic_server:5.1:sp9:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP3
cpe:2.3:a:bea:weblogic_server:6.1:sp3:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP3 Express Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp3:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Express Edition
cpe:2.3:a:bea:weblogic_server:7.0:*:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP7
cpe:2.3:a:bea:weblogic_server:5.1:sp7:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP2
cpe:2.3:a:bea:weblogic_server:6.1:sp2:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0
cpe:2.3:a:bea:weblogic_server:7.0:*:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP1 Express Edition
cpe:2.3:a:bea:weblogic_server:7.0:sp1:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP2
cpe:2.3:a:bea:weblogic_server:7.0:sp2:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP4
cpe:2.3:a:bea:weblogic_server:6.1:sp4:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP4 Express Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp4:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP1
cpe:2.3:a:bea:weblogic_server:7.0:sp1:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP2 Express Edition
cpe:2.3:a:bea:weblogic_server:7.0:sp2:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP3 Express Edition
cpe:2.3:a:bea:weblogic_server:7.0:sp3:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP3 Win32 Edition
cpe:2.3:a:bea:weblogic_server:7.0:sp3:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP3
cpe:2.3:a:bea:weblogic_server:7.0:sp3:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP1 Win32 Edition
cpe:2.3:a:bea:weblogic_server:7.0:sp1:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP2 Win32 Edition
cpe:2.3:a:bea:weblogic_server:7.0:sp2:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP4 Win32 Edition
cpe:2.3:a:bea:weblogic_server:7.0:sp4:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Win32 Edition
cpe:2.3:a:bea:weblogic_server:7.0:*:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP3 Win32 Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp3:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP6 Win32 Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp6:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 8.1 Express Edition
cpe:2.3:a:bea:weblogic_server:8.1:*:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 8.1 Win32 Edition
cpe:2.3:a:bea:weblogic_server:8.1:*:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP2 Win32 Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp2:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP5 Win32 Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp5:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP6
cpe:2.3:a:bea:weblogic_server:6.1:sp6:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP1 Win32 Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp1:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP5
cpe:2.3:a:bea:weblogic_server:6.1:sp5:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP5 Express Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp5:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 8.1 Update SP1 Win32 Edition
cpe:2.3:a:bea:weblogic_server:8.1:sp1:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 8.1 Update SP2
cpe:2.3:a:bea:weblogic_server:8.1:sp2:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 8.1 Update SP2 Express Edition
cpe:2.3:a:bea:weblogic_server:8.1:sp2:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 8.1 Update SP2 Win32 Edition
cpe:2.3:a:bea:weblogic_server:8.1:sp2:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Win32 Edition
cpe:2.3:a:bea:weblogic_server:6.1:*:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 6.1 Update SP4 Win32 Edition
cpe:2.3:a:bea:weblogic_server:6.1:sp4:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP4
cpe:2.3:a:bea:weblogic_server:7.0:sp4:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 7.0 Update SP4 Express Edition
cpe:2.3:a:bea:weblogic_server:7.0:sp4:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 8.1 Update SP1
cpe:2.3:a:bea:weblogic_server:8.1:sp1:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 8.1 Update SP1 Express Edition
cpe:2.3:a:bea:weblogic_server:8.1:sp1:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 8.1
cpe:2.3:a:bea:weblogic_server:8.1:*:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP1 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp1:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp12 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp12:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP3 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp3:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP8 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp8:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp11 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp11:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP2 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp2:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP5 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp5:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:*:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp11
cpe:2.3:a:bea:weblogic_server:5.1:sp11:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp13 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp13:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP4 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp4:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP7 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp7:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp10 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp10:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp13
cpe:2.3:a:bea:weblogic_server:5.1:sp13:*:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update Sp13 Express Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp13:express:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP6 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp6:win32:*:*:*:*:*
Matching versions
BEA » Weblogic Server » Version: 5.1 Update SP9 Win32 Edition
cpe:2.3:a:bea:weblogic_server:5.1:sp9:win32:*:*:*:*:*
Matching versions