CVE-2017-3506
Summary
| CVE | CVE-2017-3506 |
|---|---|
| State | PUBLISHED |
| Assigner | oracle |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-04-24 19:59:03 UTC |
| Updated | 2026-04-22 13:39:47 UTC |
| Description | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). |
Risk And Classification
Primary CVSS: v3.1 7.4 HIGH from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 0.962810000 probability, percentile 0.998710000 (date 2026-07-06)
CISA KEV: Listed on 2024-06-03; due 2024-06-24; ransomware use Unknown
Problem Types: NVD-CWE-noinfo | CWE-78 | Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. | CWE-78 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | ADP | DECLARED | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 2.0 | [email protected] | Primary | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS v2.0 Breakdown
AV:N/AC:M/Au:N/C:P/I:P/A:N
CISA Known Exploited Vulnerability
| Vendor | Oracle |
|---|---|
| Product | WebLogic Server |
| Name | Oracle WebLogic Server OS Command Injection Vulnerability |
| Required Action | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
| Notes | https://www.oracle.com/security-alerts/cpuapr2017.html; https://nvd.nist.gov/vuln/detail/CVE-2017-3506 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Oracle | Weblogic Server | 10.3.6.0.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.1.3.0.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.0.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.1.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.2.1.2.0 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Oracle Corporation | WebLogic Server | affected 10.3.6.0 | Not specified |
| CNA | Oracle Corporation | WebLogic Server | affected 12.1.3.0 | Not specified |
| CNA | Oracle Corporation | WebLogic Server | affected 12.2.1.0 | Not specified |
| CNA | Oracle Corporation | WebLogic Server | affected 12.2.1.1 | Not specified |
| CNA | Oracle Corporation | WebLogic Server | affected 12.2.1.2 | Not specified |
| ADP | Oracle | Weblogic Server | affected 10.3.6.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.1.3.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.1.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.2.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 10.3.6.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.1.3.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.1.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.2.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 10.3.6.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.1.3.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.1.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.2.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 10.3.6.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.1.3.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.1.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.2.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 10.3.6.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.1.3.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.0.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.1.0 | Not specified |
| ADP | Oracle | Weblogic Server | affected 12.2.1.2.0 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Oracle Critical Patch Update - April 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Vendor Advisory |
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | US Government Resource |
| Oracle WebLogic Server CVE-2017-3506 Remote Security Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Broken Link, Third Party Advisory, VDB Entry |
| Oracle WebLogic Server Bugs Let Remote Users Access and Modify Data and Cause Denial of Service Conditions - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Broken Link, Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2024-06-03T00:00:00.000Z | CVE-2017-3506 added to CISA KEV |