VYPR

WebLogic Server

by Bea

CVEs (160)

  • CVE-2005-0432May 2, 2005
    risk 0.00cvss epss 0.02

    BEA WebLogic Server 7.0 Service Pack 5 and earlier, and 8.1 Service Pack 3 and earlier, generates different login exceptions that suggest why an authentication attempt fails, which makes it easier for remote attackers to guess passwords via brute force attacks.

  • CVE-2004-1757Dec 31, 2004
    risk 0.00cvss epss 0.00

    BEA WebLogic Server and Express 8.1, SP1 and earlier, stores the administrator password in cleartext in config.xml, which allows local users to gain privileges.

  • CVE-2004-1755Dec 31, 2004
    risk 0.00cvss epss 0.01

    The Web Services fat client for BEA WebLogic Server and Express 7.0 SP4 and earlier, when using 2-way SSL and multiple certificates to connect to the same URL, may use the incorrect identity after the first connection, which could allow users to gain privileges.

  • CVE-2004-2424Dec 31, 2004
    risk 0.00cvss epss 0.02

    BEA WebLogic Server and WebLogic Express 8.1 through 8.1 SP2 allow remote attackers to cause a denial of service (network port consumption) via unknown actions in HTTPS sessions, which prevents the server from releasing the network port when the session ends.

  • CVE-2004-2696Dec 31, 2004
    risk 0.00cvss epss 0.01

    BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using Remote Method Invocation (RMI) over Internet Inter-ORB Protocol (IIOP), does not properly handle when multiple logins for different users coming from the same client, which could cause an "unexpected user…

  • CVE-2004-2321Dec 31, 2004
    risk 0.00cvss epss 0.00

    BEA WebLogic Server and Express 8.1 SP1 and earlier allows local users in the Operator role to obtain administrator passwords via MBean attributes, including (1) ServerStartMBean.Password and (2) NodeManagerMBean.CertificatePassword.

  • CVE-2004-0652Aug 6, 2004
    risk 0.00cvss epss 0.00

    BEA WebLogic Server and WebLogic Express 7.0 through 7.0 Service Pack 4, and 8.1 through 8.1 Service Pack 2, allows attackers to obtain the username and password for booting the server by directly accessing certain internal methods.

  • CVE-2004-0712Jul 27, 2004
    risk 0.00cvss epss 0.00

    The configuration tools (1) config.sh in Unix or (2) config.cmd in Windows for BEA WebLogic Server 8.1 through SP2 create a log file that contains the administrative username and password in cleartext, which could allow local users to gain privileges.

  • CVE-2004-0711Jul 27, 2004
    risk 0.00cvss epss 0.02

    The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "*" as wildcards as if they were the legal "/*" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns…

  • CVE-2004-0715Jul 27, 2004
    risk 0.00cvss epss 0.02

    The WebLogic Authentication provider for BEA WebLogic Server and WebLogic Express 8.1 through SP2 and 7.0 through SP4 does not properly clear member relationships when a group is deleted, which can cause a new group with the same name to have the members of the old group, which…

  • CVE-2004-0713Jul 27, 2004
    risk 0.00cvss epss 0.03

    The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to…

  • CVE-2004-0470Jul 7, 2004
    risk 0.00cvss epss 0.03

    BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name…

  • CVE-2004-0471Jul 7, 2004
    risk 0.00cvss epss 0.00

    BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown).

  • CVE-2004-1756Apr 13, 2004
    risk 0.00cvss epss 0.01

    BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 SP4 and earlier, when using 2-way SSL with a custom trust manager, may accept a certificate chain even if the trust manager rejects it, which allows remote attackers to spoof other users or servers.

  • CVE-2004-1758Apr 13, 2004
    risk 0.00cvss epss 0.00

    BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges.

  • CVE-2003-1225Dec 31, 2003
    risk 0.00cvss epss 0.00

    The default CredentialMapper for BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores passwords in cleartext on disk, which allows local users to extract passwords.

  • CVE-2003-1220Dec 31, 2003
    risk 0.00cvss epss 0.01

    BEA WebLogic Server proxy plugin for BEA Weblogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (proxy plugin crash) via a malformed URL.

  • CVE-2003-1224Dec 31, 2003
    risk 0.00cvss epss 0.00

    Weblogic.admin for BEA WebLogic Server and Express 7.0 and 7.0.0.1 displays the JDBCConnectionPoolRuntimeMBean password to the screen in cleartext, which allows attackers to read a user's password by physically observing ("shoulder surfing") the screen.

  • CVE-2003-1437Dec 31, 2003
    risk 0.00cvss epss 0.00

    BEA WebLogic Express and WebLogic Server 7.0 and 7.0.0.1, stores passwords in plaintext when a keystore is used to store a private key or trust certificate authorities, which allows local users to gain access.

  • CVE-2003-1222Dec 31, 2003
    risk 0.00cvss epss 0.01

    BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a foreign Java Message Service (JMS) provider, echoes the password for the foreign provider to the console and stores it in cleartext in config.xml, which could allow attackers to obtain the password.

Page 7 of 8