cbcvebase.

Bea Weblogic Server vulnerabilities

146 known vulnerabilities affecting bea/weblogic_server.

Total CVEs
146
CISA KEV
0
Public exploits
12
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH31MEDIUM92LOW16

Vulnerabilities

Page 2 of 8
CVE-2005-4765P4HIGHCVSS 7.6v7.0v8.12005-12-31
CVE-2005-4765 [HIGH] CVE-2005-4765: BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier and 7.0 SP6 and earlier, when using the BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier and 7.0 SP6 and earlier, when using the weblogic.Deployer command with the t3 protocol, does not use the secure t3s protocol even when an Administration port is enabled on the Administration server, which might allow remote attackers to sniff the connection.
nvd
CVE-2006-0426P4HIGHCVSS 7.5v8.12006-01-25
CVE-2006-0426 [HIGH] CVE-2006-0426: BEA WebLogic Server and WebLogic Express 8.1 through SP4, when configuration auditing is enabled and BEA WebLogic Server and WebLogic Express 8.1 through SP4, when configuration auditing is enabled and a password change occurs, stores the old and new passwords in cleartext in the DefaultAuditRecorder.log file, which could allow attackers to gain privileges.
nvd
CVE-2007-0418P4HIGHCVSS 7.5≤ 7.0≤ 8.1+4 more2007-01-23
CVE-2007-0418 [HIGH] CVE-2007-0418: BEA WebLogic Server 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1 does not enforce a securi BEA WebLogic Server 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1 does not enforce a security policy that declares permissions for EJB methods that have array parameters, which allows remote attackers to obtain unauthorized access to these methods.
nvd
CVE-2007-0408P4HIGHCVSS 7.5≤ 8.1v8.12007-01-23
CVE-2007-0408 [HIGH] CVE-2007-0408: BEA Weblogic Server 8.1 through 8.1 SP4 does not properly validate client certificates when reusing BEA Weblogic Server 8.1 through 8.1 SP4 does not properly validate client certificates when reusing cached connections, which allows remote attackers to obtain access via an untrusted X.509 certificate.
nvd
CVE-2007-2696P4MEDIUMCVSS 6.8v6.1v7.0+1 more2007-05-16
CVE-2007-2696 [MEDIUM] CVE-2007-2696: The JMS Server in BEA WebLogic Server 6.1 through SP7, 7.0 through SP6, and 8.1 through SP5 enforces The JMS Server in BEA WebLogic Server 6.1 through SP7, 7.0 through SP6, and 8.1 through SP5 enforces security access policies on the front end, which allows remote attackers to access protected queues via direct requests to the JMS back-end server.
nvd
CVE-2006-2469P4HIGHCVSS 7.5v6.0v6.1+3 more2006-05-19
CVE-2006-2469 [HIGH] CVE-2006-2469: The HTTP handlers in BEA WebLogic Server 9.0, 8.1 up to SP5, 7.0 up to SP6, and 6.1 up to SP7 stores The HTTP handlers in BEA WebLogic Server 9.0, 8.1 up to SP5, 7.0 up to SP6, and 6.1 up to SP7 stores the username and password in cleartext in the WebLogic Server log when access to a web application or protected JWS fails, which allows attackers to gain privileges.
nvd
CVE-2008-0901P4HIGHCVSS 7.1v7.0v8.1+4 more2008-02-22
CVE-2008-0901 [HIGH] CWE-200 CVE-2008-0901: BEA WebLogic Server and Express 7.0 through 10.0 allows remote attackers to conduct brute force pass BEA WebLogic Server and Express 7.0 through 10.0 allows remote attackers to conduct brute force password guessing attacks, even when account lockout has been activated, via crafted URLs that indicate whether a guessed password is successful or not.
nvd
CVE-2005-4756P4HIGHCVSS 7.5v7.0v8.12005-12-31
CVE-2005-4756 [HIGH] CVE-2005-4756: BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP5 and earlier, do not proper BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP5 and earlier, do not properly validate derived Principals with multiple PrincipalValidators, which might allow attackers to gain privileges.
nvd
CVE-2007-4614P4HIGHCVSS 7.5v9.12007-08-31
CVE-2007-4614 [HIGH] CVE-2007-4614: BEA WebLogic Server 9.1 does not properly handle propagation of an admin server's security policy ch BEA WebLogic Server 9.1 does not properly handle propagation of an admin server's security policy change log to temporarily unavailable managed servers, which might allow attackers to bypass intended restrictions, a different vulnerability than CVE-2007-0426.
nvd
CVE-2008-0900P4MEDIUMCVSS 6.0v8.1v9.2+1 more2008-02-22
CVE-2008-0900 [MEDIUM] CWE-264 CVE-2008-0900: Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through M Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through MP1, and 10.0 allows remote authenticated users to hijack web sessions via unknown vectors.
nvd
CVE-2005-4764P4HIGHCVSS 7.8v6.1v7.0+1 more2005-12-31
CVE-2005-4764 [HIGH] CVE-2005-4764: BEA WebLogic Server and WebLogic Express 9.0, 8.1, and 7.0 lock out the admin user account after mul BEA WebLogic Server and WebLogic Express 9.0, 8.1, and 7.0 lock out the admin user account after multiple incorrect password guesses, which allows remote attackers who know or guess the admin account name to cause a denial of service (blocked admin logins).
nvd
CVE-2007-4618P4HIGHCVSS 7.8v6.0v6.1+1 more2007-08-31
CVE-2007-4618 [HIGH] CWE-399 CVE-2007-4618: Unspecified vulnerability in BEA WebLogic Server 6.1 Gold through SP7 and 7.0 Gold through SP7 allow Unspecified vulnerability in BEA WebLogic Server 6.1 Gold through SP7 and 7.0 Gold through SP7 allows remote attackers to cause a denial of service (disk consumption) via certain malformed HTTP headers.
nvd
CVE-2007-4617P4HIGHCVSS 7.8v6.0v6.1+2 more2007-08-31
CVE-2007-4617 [HIGH] CWE-399 CVE-2007-4617: Unspecified vulnerability in BEA WebLogic Server 6.1 Gold through SP7, 7.0 Gold through SP7, and 8.1 Unspecified vulnerability in BEA WebLogic Server 6.1 Gold through SP7, 7.0 Gold through SP7, and 8.1 Gold through SP4 allows remote attackers to cause a denial of service (server thread hang) via unspecified vectors.
nvd
CVE-2004-0711P4HIGHCVSS 7.5v7.0v8.12004-07-27
CVE-2004-0711 [HIGH] CVE-2004-0711: The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "*" a The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "*" as wildcards as if they were the legal "/*" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected.
nvd
CVE-2005-1744P4CRITICALCVSS 9.8≤ 7.02005-05-24
CVE-2005-1744 [CRITICAL] CWE-459 CVE-2005-1744: BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an a BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an application is redeployed, which allows those users to continue to access the application without having to log in again, which may be in violation of newly changed security constraints or role mappings.
nvd
CVE-2006-2470P4HIGHCVSS 7.5v9.02006-05-19
CVE-2006-2470 [HIGH] CVE-2006-2470: Unspecified vulnerability in the WebLogic Server Administration Console for BEA WebLogic Server 9.0 Unspecified vulnerability in the WebLogic Server Administration Console for BEA WebLogic Server 9.0 prevents the console from setting custom JDBC security policies correctly, which could allow attackers to bypass intended policies.
nvd
CVE-2008-0898P4MEDIUMCVSS 5.8v9.0v9.1+2 more2008-02-22
CVE-2008-0898 [MEDIUM] CWE-264 CVE-2008-0898: The distributed queue feature in JMS in BEA WebLogic Server 9.0 through 10.0, in certain configurati The distributed queue feature in JMS in BEA WebLogic Server 9.0 through 10.0, in certain configurations, does not properly handle when a client cannot send a message to a member of a distributed queue, which allows remote authenticated users to bypass intended access restrictions for protected distributed queues.
nvd
CVE-2005-4763P4HIGHCVSS 7.5v6.1v7.0+1 more2005-12-31
CVE-2005-4763 [HIGH] CVE-2005-4763: BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and 6.1 SP7 and e BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 and earlier, and 6.1 SP7 and earlier, when Internet Inter-ORB Protocol (IIOP) is used, sometimes include a password in an exception message that is sent to a client or stored in a log file, which might allow remote attackers to perform unauthorized actions.
nvd
CVE-2004-0713P4MEDIUMCVSS 6.4v6.1v7.0+1 more2004-07-27
CVE-2004-0713 [MEDIUM] CVE-2004-0713: The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Expres The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown.
nvd
CVE-2007-4615P4MEDIUMCVSS 6.4≤ 9.2v7.0+4 more2007-08-31
CVE-2007-4615 [MEDIUM] CVE-2007-4615: The SSL client implementation in BEA WebLogic Server 7.0 SP7, 8.1 SP2 through SP6, 9.0, 9.1, 9.2 Gol The SSL client implementation in BEA WebLogic Server 7.0 SP7, 8.1 SP2 through SP6, 9.0, 9.1, 9.2 Gold through MP2, and 10.0 sometimes selects the null cipher when others are available, which might allow remote attackers to intercept communications.
nvd
Bea Weblogic Server vulnerabilities | cvebase