Vulnerability Details : CVE-2020-14750
Public exploit exists!
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Products affected by CVE-2020-14750
- cpe:2.3:a:oracle:fusion_middleware:12.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:fusion_middleware:10.3.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:fusion_middleware:14.1.1.0.0:*:*:*:*:*:*:*
CVE-2020-14750 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Oracle WebLogic Server Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Oracle WebLogic Server contains an unspecified vulnerability allowing an unauthenticated attacker to perform remote code execution. This vulnerability is related to CVE-2020-14882.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2020-14750
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2020-14750
97.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2020-14750
-
Oracle WebLogic Server Administration Console Handle RCE
Disclosure Date: 2020-10-20First seen: 2020-11-18exploit/multi/http/weblogic_admin_handle_rceThis module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic's Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are
CVSS scores for CVE-2020-14750
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Oracle |
References for CVE-2020-14750
-
http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html
Oracle WebLogic Server Administration Console Handle Remote Code Execution ≈ Packet StormThird Party Advisory;VDB Entry
-
https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
Oracle Security Alert - CVE-2020-14750Patch;Vendor Advisory
Jump to