Oracle Weblogic Server Java EE server

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Oracle Weblogic Server.

By the Year

In 2025 there have been 2 vulnerabilities in Oracle Weblogic Server with an average score of 8.7 out of ten. Last year, in 2024 Weblogic Server had 14 security vulnerabilities published. Right now, Weblogic Server is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.73.

Year	Vulnerabilities	Average Score
2025	2	8.65
2024	14	7.92
2023	19	7.51
2022	32	6.93
2021	44	7.45
2020	70	7.37
2019	40	7.46
2018	31	7.37

It may take a day or so for new Weblogic Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oracle Weblogic Server Security Vulnerabilities

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2025-21535 9.8 - Critical - January 21, 2025

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2025-21549 7.5 - High - January 21, 2025

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21215 7.5 - High - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21216 9.8 - Critical - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21234 7.5 - High - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21260 7.5 - High - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console)

CVE-2024-21274 7.5 - High - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21175 9.1 - Critical - July 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21181 9.8 - Critical - July 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21182 7.5 - High - July 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21183 7.5 - High - July 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21006 7.5 - High - April 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-21007 7.5 - High - April 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-20986 6.1 - Medium - February 17, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-20931 7.5 - High - February 17, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2024-20927 8.6 - High - February 17, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 8.6 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-22069 9.8 - Critical - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-22072 9.8 - Critical - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-22086 7.5 - High - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-22089 9.8 - Critical - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-22101 8.1 - High - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-22108 7.5 - High - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-22031 4.4 - Medium - July 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.1.0.0 and 12.2.1.4.0. Difficult to exploit vulnerability allows high privileged attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-22040 6.5 - Medium - July 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-21931 7.5 - High - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-21979 7.5 - High - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services)

CVE-2023-21996 7.5 - High - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container)

CVE-2023-21956 6.1 - Medium - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-21960 5.6 - Medium - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-21964 7.5 - High - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-21837 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-21838 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-21839 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Marshaling, Unmarshaling

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2023-21841 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container)

CVE-2023-21842 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container)

CVE-2022-21616 5.2 - Medium - October 18, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 5.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services)

CVE-2022-21564 5.3 - Medium - July 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2022-21560 5.3 - Medium - July 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container)

CVE-2022-21557 5.7 - Medium - July 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 5.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2022-21548 6.5 - Medium - July 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library

CVE-2022-24891 6.1 - Medium - April 27, 2022

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library

CVE-2022-23457 9.8 - Critical - April 25, 2022

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.

Directory traversal

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input

CVE-2022-29577 6.1 - Medium - April 21, 2022

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.

XSS

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core)

CVE-2022-21441 7.5 - High - April 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3/IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console)

CVE-2022-21453 6.1 - Medium - April 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

org.cyberneko.html is an html parser written in Java

CVE-2022-24839 7.5 - High - April 11, 2022

org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

Resource Exhaustion

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding

CVE-2022-22965 9.8 - Critical - April 01, 2022

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Code Injection

jackson-databind before 2.13.0

CVE-2020-36518 7.5 - High - March 11, 2022

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Memory Corruption

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads

CVE-2022-23437 6.5 - Medium - January 24, 2022

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Infinite Loop

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples)

CVE-2022-21261 6.1 - Medium - January 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle Weblogic Server or by Oracle? Click the Watch button to subscribe.

Oracle
Vendor

Oracle Weblogic Server
Java EE server

Oracle Weblogic Server Java EE server

Don't miss out!

By the Year

Recent Oracle Weblogic Server Security Vulnerabilities

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2025-21535 9.8 - Critical - January 21, 2025

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2025-21549 7.5 - High - January 21, 2025

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21215 7.5 - High - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21216 9.8 - Critical - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21234 7.5 - High - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21260 7.5 - High - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) CVE-2024-21274 7.5 - High - October 15, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21175 9.1 - Critical - July 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21181 9.8 - Critical - July 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21182 7.5 - High - July 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21183 7.5 - High - July 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21006 7.5 - High - April 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-21007 7.5 - High - April 16, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-20986 6.1 - Medium - February 17, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-20931 7.5 - High - February 17, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2024-20927 8.6 - High - February 17, 2024

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-22069 9.8 - Critical - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-22072 9.8 - Critical - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-22086 7.5 - High - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-22089 9.8 - Critical - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-22101 8.1 - High - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-22108 7.5 - High - October 17, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-22031 4.4 - Medium - July 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-22040 6.5 - Medium - July 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-21931 7.5 - High - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-21979 7.5 - High - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services) CVE-2023-21996 7.5 - High - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container) CVE-2023-21956 6.1 - Medium - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-21960 5.6 - Medium - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-21964 7.5 - High - April 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-21837 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-21838 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-21839 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2023-21841 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container) CVE-2023-21842 7.5 - High - January 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container) CVE-2022-21616 5.2 - Medium - October 18, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services) CVE-2022-21564 5.3 - Medium - July 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2022-21560 5.3 - Medium - July 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container) CVE-2022-21557 5.7 - Medium - July 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2022-21548 6.5 - Medium - July 19, 2022

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library CVE-2022-24891 6.1 - Medium - April 27, 2022

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library CVE-2022-23457 9.8 - Critical - April 25, 2022

OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input CVE-2022-29577 6.1 - Medium - April 21, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) CVE-2022-21441 7.5 - High - April 19, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console) CVE-2022-21453 6.1 - Medium - April 19, 2022

org.cyberneko.html is an html parser written in Java CVE-2022-24839 7.5 - High - April 11, 2022

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding CVE-2022-22965 9.8 - Critical - April 01, 2022

jackson-databind before 2.13.0 CVE-2020-36518 7.5 - High - March 11, 2022

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads CVE-2022-23437 6.5 - Medium - January 24, 2022

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Samples) CVE-2022-21261 6.1 - Medium - January 19, 2022