CVE: CVE-2015-4852

Export to Word

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.92262
Percentile: 0.99707

CVSS Scoring

CVSS v3.1 Score: 9.8

Severity: CRITICAL

KEV is present

Mapped CWE(s)

CWE-502 : Deserialization of Untrusted Data

All CAPEC(s)

CAPEC-586: Object Injection

CAPEC(s) with Mapped TTPs

Mapped ATT&CK TTPs

Affected Products

cpe:2.3:a:oracle:virtual_desktop_infrastructure:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*

← Back to Home