E20-9vhw2
CVSS:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
False Positive:
t
Variants:
3
Year:
2020
Description
This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. The vulnerability is a result of insufficient validation of T3 requests in the UniversalExtractor class. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a vulnerable server. Successful exploitation leads to remote code execution, in the context of the user running the Oracle WebLogic service.