CVE-2004-2320 — Sensitive Information Exposure in Weblogic Server

CWE-200 — Sensitive Information Exposure5 documents4 sources

Severity

5.8MEDIUMNVD

EPSS

5.5%

top 9.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

BEA Weblogic Server

Timeline

PublishedDec 31

Latest updateApr 29

Description

The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

▶NVDbea/weblogic_server4 versions+3

Patches

Patch: dev2dev.bea.com ↗Patch: www.securityfocus.com ↗Patch: www.securitytracker.com ↗

🔴Vulnerability Details

GHSA

GHSA-j9r3-w4r5-872h: The default configuration of BEA WebLogic Server and Express 8↗2022-04-29

▶

CVEList

CVE-2004-2320: The default configuration of BEA WebLogic Server and Express 8↗2005-08-16

▶

📋Vendor Advisories

Red Hat

CVE-2004-2320: The default configuration of BEA WebLogic Server and Express 8↗

▶

Red Hat

CVE-2007-3008: Mbedthis AppWeb before 2↗

▶