VYPR

WebLogic Server

by Bea

CVEs (160)

  • CVE-2006-0431Jan 25, 2006
    risk 0.00cvss epss 0.00

    Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 8.1 SP5 allows untrusted applications to obtain the server's SSL identity via unknown attack vectors.

  • CVE-2006-0422Jan 25, 2006
    risk 0.00cvss epss 0.02

    Multiple unspecified vulnerabilities in BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allow remote attackers to access MBean attributes or cause an unspecified denial of service via unknown attack vectors.

  • CVE-2006-0420Jan 25, 2006
    risk 0.00cvss epss 0.01

    BEA WebLogic Server and WebLogic Express 8.1 through SP4 and 7.0 through SP6 does not properly handle when servlets use relative forwarding, which allows remote attackers to cause a denial of service (slowdown) via unknown attack vectors that cause "looping stack overflow…

  • CVE-2006-0427Jan 25, 2006
    risk 0.00cvss epss 0.00

    Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0 and 8.1 through SP5 allows malicious EJBs or servlet applications to decrypt system passwords, possibly by accessing functionality that should have been restricted.

  • CVE-2006-0421Jan 25, 2006
    risk 0.00cvss epss 0.00

    By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from the same WebLogic instance on the same machine, allows administrators of any created domain to access other created domains, which could allow administrators to gain privileges…

  • CVE-2006-0432Jan 25, 2006
    risk 0.00cvss epss 0.00

    Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 9.0, when an Administrator uses the WebLogic Administration Console to add custom security policies, causes incorrect policies to be created, which prevents the server from properly protecting JNDI resources.

  • CVE-2006-0426Jan 25, 2006
    risk 0.00cvss epss 0.02

    BEA WebLogic Server and WebLogic Express 8.1 through SP4, when configuration auditing is enabled and a password change occurs, stores the old and new passwords in cleartext in the DefaultAuditRecorder.log file, which could allow attackers to gain privileges.

  • CVE-2006-0424Jan 25, 2006
    risk 0.00cvss epss 0.01

    BEA WebLogic Server and WebLogic Express 8.1 through SP4, 7.0 through SP6, and 6.1 through SP7 allows remote authenticated guest users to read the server log and obtain sensitive configuration information.

  • CVE-2006-0429Jan 25, 2006
    risk 0.00cvss epss 0.00

    BEA WebLogic Server and WebLogic Express 9.0 causes new security providers to appear active even if they have not been activated by a server reboot, which could cause an administrator to perform inappropriate, security-relevant actions.

  • CVE-2006-0430Jan 25, 2006
    risk 0.00cvss epss 0.02

    Certain configurations of BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6, when connection filters are enabled, cause the server to run more slowly, which makes it easier for remote attackers to cause a denial of service (server slowdown).

  • CVE-2006-0419Jan 25, 2006
    risk 0.00cvss epss 0.02

    BEA WebLogic Server and WebLogic Express 9.0, 8.1 through SP5, and 7.0 through SP6 allows anonymous binds to the embedded LDAP server, which allows remote attackers to read user entries or cause a denial of service (unspecified) via a large number of connections.

  • CVE-2005-4750Dec 31, 2005
    risk 0.00cvss epss 0.02

    BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP5 and earlier, and 6.1 SP7 and earlier allow remote attackers to cause a denial of service (server thread hang) via unknown attack vectors.

  • CVE-2005-4704Dec 31, 2005
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in BEA WebLogic Server and WebLogic Express 8.1 through SP3, 7.0 through SP6, and 6.1 through SP7, when SSL is intended to be used, causes an unencrypted protocol to be used in certain unspecified circumstances, which causes user credentials to be sent…

  • CVE-2005-4760Dec 31, 2005
    risk 0.00cvss epss 0.02

    BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 SP5 and earlier, when fullyDelegatedAuthorization is enabled for a servlet, does not cause servlet deployment to fail when failures occur in authorization or role providers, which might prevent the servlet…

  • CVE-2005-4758Dec 31, 2005
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in the Administration server in BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier allows remote authenticated Admin users to read arbitrary files via unknown attack vectors related to an "internal servlet" accessed through HTTP.

  • CVE-2005-4755Dec 31, 2005
    risk 0.00cvss epss 0.00

    BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier (1) stores the private key passphrase (CustomTrustKeyStorePassPhrase) in cleartext in nodemanager.config; or, during domain creation with the Configuration Wizard, renders an SSL private key passphrase in cleartext (2)…

  • CVE-2005-4756Dec 31, 2005
    risk 0.00cvss epss 0.02

    BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP5 and earlier, do not properly validate derived Principals with multiple PrincipalValidators, which might allow attackers to gain privileges.

  • CVE-2005-4752Dec 31, 2005
    risk 0.00cvss epss 0.00

    BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP6 and earlier, might allow local users to gain privileges by using the run-as deployment descriptor element to change the privileges of a web application or EJB from the Deployer security role to the Admin…

  • CVE-2005-4765Dec 31, 2005
    risk 0.00cvss epss 0.02

    BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier and 7.0 SP6 and earlier, when using the weblogic.Deployer command with the t3 protocol, does not use the secure t3s protocol even when an Administration port is enabled on the Administration server, which might allow…

  • CVE-2005-4766Dec 31, 2005
    risk 0.00cvss epss 0.01

    BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 SP5 and earlier, do not encrypt multicast traffic, which might allow remote attackers to read sensitive cluster synchronization messages by sniffing the multicast traffic.

Page 5 of 8