Impact
The vulnerability resides in the WebLogic Server Console component and is due to a Server Side Request Forgery (CWE-601) that allows network access to execute arbitrary code on the server, potentially leading to full takeover. The CVE states that successful attacks require a user other than the attacker to interact with the console, indicating a social-engineering requirement. This means the attacker can influence a victim’s browser to trigger the console and then exploit the vulnerability to compromise confidentiality, integrity, and availability of the WebLogic Server.
Affected Systems
Oracle WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0 are affected. The vulnerability applies to any platform running these builds and makes the console reachable over HTTPS.
Risk and Exploitability
The CVSS 3.1 score of 8.8 denotes high severity. The EPSS score of less than 1% indicates a low probability of current exploitation, and the issue is not listed in the CISA KEV catalog. Attackers would target the console over HTTPS; practical exploitation requires a secondary user to interact with the console, increasing complexity and reducing the likelihood of automated attacks.
OpenCVE Enrichment