CVE-2019-2725
Summary
| CVE | CVE-2019-2725 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-04-26 19:29:00 UTC |
| Updated | 2022-04-27 16:39:00 UTC |
| Description | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). |
Risk And Classification
EPSS: 0.944680000 probability, percentile 0.999970000 (date 2026-04-01)
CISA KEV: Listed on 2022-01-10; due 2022-07-10; ransomware use Known
Problem Types: CWE-74
CISA Known Exploited Vulnerability
| Vendor | Oracle |
|---|---|
| Product | WebLogic Server |
| Name | Oracle WebLogic Server, Injection |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2019-2725 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Oracle | Agile Plm | 9.3.3 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.4 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.5 | All | All | All |
| Application | Oracle | Communications Converged Application Server | 5.1 | All | All | All |
| Application | Oracle | Communications Converged Application Server | 7.0 | All | All | All |
| Application | Oracle | Communications Converged Application Server | 7.1 | All | All | All |
| Application | Oracle | Peoplesoft Enterprise Peopletools | 8.56 | All | All | All |
| Application | Oracle | Peoplesoft Enterprise Peopletools | 8.57 | All | All | All |
| Application | Oracle | Peoplesoft Enterprise Peopletools | 8.58 | All | All | All |
| Application | Oracle | Storagetek Tape Analytics Sw Tool | 2.3 | All | All | All |
| Application | Oracle | Tape Library Acsls | 8.5 | All | All | All |
| Application | Oracle | Tape Virtual Storage Manager Gui | 6.2 | All | All | All |
| Application | Oracle | Vm Virtualbox | All | All | All | All |
| Application | Oracle | Vm Virtualbox | 5.2.36 | All | All | All |
| Application | Oracle | Weblogic Server | 10.3.6.0.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.1.3.0.0 | All | All | All |
| Application | Oracle | Weblogic Server | 10.3.6.0.0 | All | All | All |
| Application | Oracle | Weblogic Server | 12.1.3.0.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Oracle Security Alert CVE-2019-2725 | MISC | www.oracle.com | Patch, Vendor Advisory |
| Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution | EXPLOIT-DB | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| Oracle Critical Patch Update Advisory - July 2019 | MISC | www.oracle.com | |
| Oracle Security Alert CVE-2019-2725 | MISC | www.oracle.com | |
| Oracle Weblogic Server Deserialization Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| support.f5.com/csp/article/K90059138 | CONFIRM | support.f5.com | Third Party Advisory |
| Oracle Critical Patch Update Advisory - January 2020 | MISC | www.oracle.com | |
| Oracle WebLogic Server Deserialization Remote Command Execution Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.