Main Vulnerability Database Exploits ID:6020 - Exploit for Insecure deserialization in Oracle WebLogic Server - CVE-2019-2725

ID:6020 - Exploit for Insecure deserialization in Oracle WebLogic Server - CVE-2019-2725

Published: June 17, 2021

Vulnerability identifier: #VU18354

Vulnerability risk: High

CVE-ID: CVE-2019-2725

CWE-ID: CWE-502

Exploitation vector: Remote access

Vulnerable software:
Oracle WebLogic Server

Link to public exploit:

https://www.exploit-db.com/exploits/46814/

Vulnerability description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insecure deserialization of untrusted data within the "wls9_async_response.war" and "wls-wsat.war" components. A remote non-authenticated attacker can send a specially crafted HTTP request to "/_async/*" and "/wls-wsat/*" URLs and execute arbitrary code on the target system.

Remediation

Install patch from vendor's website.

ID:6020 - Exploit for Insecure deserialization in Oracle WebLogic Server - CVE-2019-2725

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human