Description
BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges.
References (7)
Core 7
Core References
Patch, Vendor Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/10131
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/11357
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1009764
Patch, Vendor Advisory x_refsource_confirm
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_53.00.jsp
Patch, Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/920238
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/5297
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/15860
Scores
EPSS
0.0016
EPSS Percentile
36.6%
Details
Status
published
Products (3)
bea/weblogic_server
6.1 (16 CPE variants)
bea/weblogic_server
7.0 (12 CPE variants)
bea/weblogic_server
8.1 (9 CPE variants)
Published
Apr 13, 2004
Tracked Since
Feb 18, 2026