id: CVE-2020-2551

info:
  name: Oracle WebLogic Server - Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: |
    Oracle WebLogic Server (Oracle Fusion Middleware (component: WLS Core Components) is susceptible to a remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 2.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability could allow unauthenticated attackers with network access via IIOP to compromise Oracle WebLogic Server.
  remediation: |
    Apply the latest security patches provided by Oracle to mitigate this vulnerability.
  reference:
    - https://github.com/hktalent/CVE-2020-2551
    - https://nvd.nist.gov/vuln/detail/CVE-2020-2551
    - https://www.oracle.com/security-alerts/cpujan2020.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-2551
    epss-score: 0.97468
    epss-percentile: 0.99939
    cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: oracle
    product: weblogic_server
  tags: cve,cve2020,oracle,weblogic,rce,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}/console/login/LoginForm.jsp"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "10.3.6.0"
          - "12.1.3.0"
          - "12.2.1.3"
          - "12.2.1.4"
        condition: or

      - type: word
        part: body
        words:
          - "WebLogic"

      - type: status
        status:
          - 200