⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2019-2729

CWE-284Improper Access Control18 documents9 sources
Severity
9.8CRITICAL
EPSS
94.4%
top 0.04%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
10
Oracle Communications Network IntegrityOracle Corporation Weblogic ServerOracle Communications Diameter Signaling Router+7 more
Timeline
PublishedJun 19
Latest updateMay 24

Description

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS V

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

NVDoracle/weblogic_server10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0+2
CVEListV5oracle_corporation/weblogic_server10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0+2
NVDoracle/rapid_planning12.1, 12.2+1
NVDoracle/identity_manager11.1.2.3.0, 12.2.1.3.0+1

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
GHSA-hmxx-vvw4-43vc: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services)2022-05-24
CVEList
CVE-2019-2729: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services)2019-06-19
VulnCheck
Oracle communications_diameter_signaling_router Improper Access Control2019

💥Exploits & PoCs

2
Exploit-DB
Oracle Weblogic 10.3.6.0.0 - Remote Command Execution2020-01-09
Nuclei
Oracle WebLogic Server Administration Console - Remote Code Execution

📋Vendor Advisories

4
Oracle
Oracle Oracle Hyperion Risk Matrix: Installation and Configuration (Oracle WebLogic Server) — CVE-2019-27292021-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Integration (Oracle WebLogic Server) — CVE-2019-27292020-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: IDIH Visualization (Oracle WebLogic Server) — CVE-2019-27292020-04-15
Oracle
Oracle Oracle PeopleSoft Risk Matrix: Security (Oracle WebLogic Server) — CVE-2019-27292020-01-15

🕵️Threat Intelligence

7
Trendmicro
Remediating an RCE (CVE-2019-2729) in Oracle WebLogic2019-06-25
Trendmicro
Remediating an RCE (CVE-2019-2729) in Oracle WebLogic2019-06-25
Trendmicro
Remediating an RCE (CVE-2019-2729) in Oracle WebLogic2019-06-25
Trendmicro
Remediating an RCE (CVE-2019-2729) in Oracle WebLogic2019-06-25
Trendmicro
Remediating an RCE (CVE-2019-2729) in Oracle WebLogic2019-06-25