CVE-2022-21616

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 5.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H).

CVSS v3 5.2 MEDIUM

5.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 4.7

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.oracle.com/security-alerts/cpuoct2022.html	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

History

20 Oct 2022, 15:30

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2022.html - Patch, Vendor Advisory
CWE		NVD-CWE-noinfo
First Time		Oracle weblogic Server Oracle

18 Oct 2022, 21:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-18 21:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-21616

Mitre link : CVE-2022-21616

CVE.ORG link : CVE-2022-21616

JSON object : View

Products Affected

oracle

weblogic_server

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-21616", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "secalert_us@oracle.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 0.5}]}, "published": "2022-10-18T21:15:12.640", "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2022.html", "tags": ["Patch", "Vendor Advisory"], "source": "secalert_us@oracle.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 5.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H)."}, {"lang": "es", "value": "Una vulnerabilidad en el producto Oracle WebLogic Server de Oracle Fusion Middleware (componente: Web Container). Las versiones soportadas que est\u00e1n afectadas son 12.2.1.3.0, 12.2.1.4.0 y 14.1.1.0.0. Una vulnerabilidad dif\u00edcil de explotar permite a un atacante con altos privilegios que inicie sesi\u00f3n en la infraestructura donde es ejecutado Oracle WebLogic Server comprometerlo. Los ataques con \u00e9xito de esta vulnerabilidad pueden resultar en una capacidad no autorizada para causar una suspensi\u00f3n o bloqueo repetible frecuentemente (DOS completo) de Oracle WebLogic Server, as\u00ed como el acceso no autorizado a la actualizaci\u00f3n, inserci\u00f3n o eliminaci\u00f3n de algunos de los datos accesibles de Oracle WebLogic Server y el acceso no autorizado a la lectura de un subconjunto de datos accesibles de Oracle WebLogic Server. CVSS 3.1 Puntuaci\u00f3n Base 5.2 (Impactos en la Confidencialidad, Integridad y Disponibilidad). Vector CVSS: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H)"}], "lastModified": "2022-10-20T15:30:53.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752"}], "operator": "OR"}]}], "sourceIdentifier": "secalert_us@oracle.com"}