BeaCVEs & Vulnerabilities

159 CVEs affecting Bea products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

weblogic server 431tuxedo 21aqualogic interaction 8aqualogic service bus 6weblogic integration 6weblogic workshop 4weblogic mobility server 3aqualogic enterprise security 3
CVE-2002-2141HIGH

BEA WebLogic Server and Express 7.0 and 7.0.0.1, when running Servlets and Enterprise JavaBeans (EJB) on more than one server, will remove the security constraints and roles on all servers for any Servlets or EJB that are used by an application that is undeployed on one server, which could allow remote attackers to conduct unauthorized activities in violation of the intended restrictions.

31 Dec 2002
7.5
CVSS
CVE-2002-2142HIGH

An undocumented extension for the Servlet mappings in the Servlet 2.3 specification, when upgrading to WebLogic Server and Express 7.0 Service Pack 1 from BEA WebLogic Server and Express 6.0 through 7.0.0.1, does not prepend a "/" character in certain URL patterns, which prevents the proper enforcement of role mappings and policies in applications that use the extension.

31 Dec 2002
7.5
CVSS
CVE-2002-2177LOW

BEA WebLogic Server and Express 6.1 through 7.0.0.1 buffers HTTP requests in a way that can cause BEA to send the same response for two different HTTP requests, which could allow remote attackers to obtain sensitive information that was intended for other users.

31 Dec 2002
2.6
CVSS
CVE-2002-1030LOW

Race condition in Performance Pack in BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 allows remote attackers to cause a denial of service (crash) via a flood of data and connections.

4 Oct 2002
2.6
CVSS
CVE-2002-0106MEDIUMpoc

BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.

25 Mar 2002
5.0
CVSS
CVE-2001-1477MEDIUM

The Domain gateway in BEA Tuxedo 7.1 does not perform authorization checks for imported services and qspaces on remote domains, even when an ACL exists, which allows users to access services in a remote domain.

31 Dec 2001
4.6
CVSS
CVE-2001-0098CRITICALpoc

Buffer overflow in Bea WebLogic Server before 5.1.0 allows remote attackers to execute arbitrary commands via a long URL that begins with a ".." string.

12 Feb 2001
10.0
CVSS
CVE-2000-1238HIGH

BEA Systems WebLogic Express and WebLogic Server 5.1 SP1-SP6 allows remote attackers to bypass access controls for restricted JSP or servlet pages via a URL with multiple / (forward slash) characters before the restricted pages.

31 Dec 2000
7.5
CVSS
CVE-2000-0681CRITICAL

Buffer overflow in BEA WebLogic server proxy plugin allows remote attackers to execute arbitrary commands via a long URL with a .JSP extension.

20 Oct 2000
10.0
CVSS
CVE-2000-0682MEDIUM

BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /ConsoleHelp/ into the URL, which invokes the FileServlet.

20 Oct 2000
5.0
CVSS
CVE-2000-0683MEDIUM

BEA WebLogic 5.1.x allows remote attackers to read source code for parsed pages by inserting /*.shtml/ into the URL, which invokes the SSIServlet.

20 Oct 2000
5.0
CVSS
CVE-2000-0684CRITICALpoc

BEA WebLogic 5.1.x does not properly restrict access to the JSPServlet, which could allow remote attackers to compile and execute Java JSP code by directly invoking the servlet on any source file.

20 Oct 2000
10.0
CVSS
CVE-2000-0685CRITICALpoc

BEA WebLogic 5.1.x does not properly restrict access to the PageCompileServlet, which could allow remote attackers to compile and execute Java JHTML code by directly invoking the servlet on any source file.

20 Oct 2000
10.0
CVSS
CVE-2000-0500MEDIUMpoc

The default configuration of BEA WebLogic 5.1.0 allows a remote attacker to view source code of programs by requesting a URL beginning with /file/, which causes the default servlet to display the file without further processing.

21 Jun 2000
5.0
CVSS
CVE-2000-0499HIGH

The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.

8 Jun 2000
7.5
CVSS
← PrevPage 4 / 4Next →