CVE-2024-21006

HIGH

Oracle Weblogic Server - Missing Authentication

Title source: rule

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Exploits (4)

nomisec WORKING POC 18 stars

by lightr3d · poc

https://github.com/lightr3d/CVE-2024-21006_jar

View Code ZIP pw:eip

nomisec WORKING POC 13 stars

by momika233 · poc

https://github.com/momika233/CVE-2024-21006

View Code ZIP pw:eip

nomisec WORKING POC 7 stars

by dadvlingd · poc

https://github.com/dadvlingd/CVE-2024-21006

View Code ZIP pw:eip

nomisec WORKING POC

by d3fudd · poc

https://github.com/d3fudd/CVE-2024-21006_PoC

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://www.oracle.com/security-alerts/cpuapr2024.html

Scores

CVSS v3 7.5

EPSS 0.8493

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (2)

oracle/weblogic_server 12.2.1.4.0

oracle/weblogic_server 14.1.1.0.0

Published Apr 16, 2024

Tracked Since Feb 18, 2026