{"api_version":"1","generated_at":"2026-07-07T22:11:57+00:00","cve":"CVE-2017-3506","urls":{"html":"https://cve.report/CVE-2017-3506","api":"https://cve.report/api/cve/CVE-2017-3506.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-3506","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-3506"},"summary":{"title":"CVE-2017-3506","description":"Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).","state":"PUBLISHED","assigner":"oracle","published_at":"2017-04-24 19:59:03","updated_at":"2026-04-22 13:39:47"},"problem_types":["NVD-CWE-noinfo","CWE-78","Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as  unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.","CWE-78 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.4","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.4","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.4","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"5.8","severity":"","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","baseScore":5.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE"}}],"references":[{"url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html","name":"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"],"title":"Oracle Critical Patch Update - April 2017","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-3506","name":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-3506","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.securityfocus.com/bid/97884","name":"http://www.securityfocus.com/bid/97884","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory","VDB Entry"],"title":"Oracle WebLogic Server CVE-2017-3506 Remote Security Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.securitytracker.com/id/1038296","name":"http://www.securitytracker.com/id/1038296","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory","VDB Entry"],"title":"Oracle WebLogic Server Bugs Let Remote Users Access and Modify Data and Cause Denial of Service Conditions - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-3506","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-3506","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Oracle Corporation","product":"WebLogic Server","version":"affected 10.3.6.0","platforms":[]},{"source":"CNA","vendor":"Oracle Corporation","product":"WebLogic Server","version":"affected 12.1.3.0","platforms":[]},{"source":"CNA","vendor":"Oracle Corporation","product":"WebLogic Server","version":"affected 12.2.1.0","platforms":[]},{"source":"CNA","vendor":"Oracle Corporation","product":"WebLogic Server","version":"affected 12.2.1.1","platforms":[]},{"source":"CNA","vendor":"Oracle Corporation","product":"WebLogic Server","version":"affected 12.2.1.2","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 10.3.6.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.1.3.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.1.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.2.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 10.3.6.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.1.3.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.1.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.2.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 10.3.6.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.1.3.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.1.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.2.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 10.3.6.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.1.3.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.1.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.2.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 10.3.6.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.1.3.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.0.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.1.0","platforms":[]},{"source":"ADP","vendor":"oracle","product":"weblogic_server","version":"affected 12.2.1.2.0","platforms":[]}],"timeline":[{"source":"ADP","time":"2024-06-03T00:00:00.000Z","lang":"en","value":"CVE-2017-3506 added to CISA KEV"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"3506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"weblogic_server","cpe6":"10.3.6.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"3506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"weblogic_server","cpe6":"12.1.3.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"3506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"weblogic_server","cpe6":"12.2.1.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"3506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"weblogic_server","cpe6":"12.2.1.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"3506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"weblogic_server","cpe6":"12.2.1.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2017","cve_id":"3506","cve":"CVE-2017-3506","vendorProject":"Oracle","product":"WebLogic Server","vulnerabilityName":"Oracle WebLogic Server OS Command Injection Vulnerability","dateAdded":"2024-06-03","shortDescription":"Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.","requiredAction":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","dueDate":"2024-06-24","knownRansomwareCampaignUse":"Unknown","notes":"https://www.oracle.com/security-alerts/cpuapr2017.html; https://nvd.nist.gov/vuln/detail/CVE-2017-3506","cwes":"CWE-78","catalogVersion":"2026.07.07","updated_at":"2026-07-07 14:21:09"},"epss":{"cve_year":"2017","cve_id":"3506","cve":"CVE-2017-3506","epss":"0.962810000","percentile":"0.998710000","score_date":"2026-07-06","updated_at":"2026-07-07 00:05:16"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"affected":[{"cpes":["cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"weblogic_server","vendor":"oracle","versions":[{"status":"affected","version":"10.3.6.0.0"},{"status":"affected","version":"12.1.3.0.0"},{"status":"affected","version":"12.2.1.0.0"},{"status":"affected","version":"12.2.1.1.0"},{"status":"affected","version":"12.2.1.2.0"}]},{"cpes":["cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"weblogic_server","vendor":"oracle","versions":[{"status":"affected","version":"10.3.6.0.0"},{"status":"affected","version":"12.1.3.0.0"},{"status":"affected","version":"12.2.1.0.0"},{"status":"affected","version":"12.2.1.1.0"},{"status":"affected","version":"12.2.1.2.0"}]},{"cpes":["cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"weblogic_server","vendor":"oracle","versions":[{"status":"affected","version":"10.3.6.0.0"},{"status":"affected","version":"12.1.3.0.0"},{"status":"affected","version":"12.2.1.0.0"},{"status":"affected","version":"12.2.1.1.0"},{"status":"affected","version":"12.2.1.2.0"}]},{"cpes":["cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"weblogic_server","vendor":"oracle","versions":[{"status":"affected","version":"10.3.6.0.0"},{"status":"affected","version":"12.1.3.0.0"},{"status":"affected","version":"12.2.1.0.0"},{"status":"affected","version":"12.2.1.1.0"},{"status":"affected","version":"12.2.1.2.0"}]},{"cpes":["cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"weblogic_server","vendor":"oracle","versions":[{"status":"affected","version":"10.3.6.0.0"},{"status":"affected","version":"12.1.3.0.0"},{"status":"affected","version":"12.2.1.0.0"},{"status":"affected","version":"12.2.1.1.0"},{"status":"affected","version":"12.2.1.2.0"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2017-3506","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2024-06-28T03:55:18.693969Z","version":"2.0.3"},"type":"ssvc"}},{"other":{"content":{"dateAdded":"2024-06-03","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-3506"},"type":"kev"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-10-21T23:55:42.100Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["government-resource"],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-3506"}],"timeline":[{"lang":"en","time":"2024-06-03T00:00:00.000Z","value":"CVE-2017-3506 added to CISA KEV"}],"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-05T14:30:57.671Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"1038296","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id/1038296"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"},{"name":"97884","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/97884"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"WebLogic Server","vendor":"Oracle Corporation","versions":[{"status":"affected","version":"10.3.6.0"},{"status":"affected","version":"12.1.3.0"},{"status":"affected","version":"12.2.1.0"},{"status":"affected","version":"12.2.1.1"},{"status":"affected","version":"12.2.1.2"}]}],"datePublic":"2017-04-18T00:00:00.000Z","descriptions":[{"lang":"en","value":"Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)."}],"problemTypes":[{"descriptions":[{"description":"Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as  unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-07-10T09:57:01.000Z","orgId":"43595867-4340-4103-b7a2-9a5208d29a85","shortName":"oracle"},"references":[{"name":"1038296","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id/1038296"},{"tags":["x_refsource_CONFIRM"],"url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"},{"name":"97884","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/97884"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"secalert_us@oracle.com","ID":"CVE-2017-3506","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"WebLogic Server","version":{"version_data":[{"version_affected":"=","version_value":"10.3.6.0"},{"version_affected":"=","version_value":"12.1.3.0"},{"version_affected":"=","version_value":"12.2.1.0"},{"version_affected":"=","version_value":"12.2.1.1"},{"version_affected":"=","version_value":"12.2.1.2"}]}}]},"vendor_name":"Oracle Corporation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as  unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data."}]}]},"references":{"reference_data":[{"name":"1038296","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1038296"},{"name":"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html","refsource":"CONFIRM","url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html"},{"name":"97884","refsource":"BID","url":"http://www.securityfocus.com/bid/97884"}]}}}},"cveMetadata":{"assignerOrgId":"43595867-4340-4103-b7a2-9a5208d29a85","assignerShortName":"oracle","cveId":"CVE-2017-3506","datePublished":"2017-04-24T19:00:00.000Z","dateReserved":"2016-12-06T00:00:00.000Z","dateUpdated":"2025-10-21T23:55:42.100Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-04-24 19:59:03","lastModifiedDate":"2026-04-22 13:39:47","problem_types":["NVD-CWE-noinfo","CWE-78","Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as  unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.","CWE-78 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","baseScore":5.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*","matchCriteriaId":"B40B13B7-68B3-4510-968C-6A730EB46462"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*","matchCriteriaId":"C93CC705-1F8C-4870-99E6-14BF264C3811"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:12.2.1.0.0:*:*:*:*:*:*:*","matchCriteriaId":"9F57085F-A922-421B-BD10-ECC4F3CB34C2"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*","matchCriteriaId":"29F4C533-DE42-463B-9D80-5D4C85BF1A5B"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*","matchCriteriaId":"3A1728D5-E03B-49A0-849C-B722197AF054"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"3506","Ordinal":"1","Title":"CVE-2017-3506","CVE":"CVE-2017-3506","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"3506","Ordinal":"1","NoteData":"Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).","Type":"Description","Title":"CVE-2017-3506"},{"CveYear":"2017","CveId":"3506","Ordinal":"2","NoteData":"2017-04-24","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"3506","Ordinal":"3","NoteData":"2017-07-10","Type":"Other","Title":"Modified"}]}}}