Vulnerability Note VU#184558
BEA WebLogic Server contains a vulnerability in the URL pattern matching
There is a vulnerability in the URL pattern matching functionality of BEA WebLogic Server that could allow URL restrictions to be bypassed.
BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." The WebLogic Server provides a feature that allows an administrator to restrict access to certain URLs. There is a vulnerability in this URL pattern matching feature that could cause patterns ending in "*" rather than "/*" to be evaluated as wildcard patterns.
According to the BEA Security Advisory,
According to the BEA Security Advisory, the following versions of WebLogic Server and Express are affected by this vulnerability:
A remote user could access restricted URLs that were previously protected by specific URL pattern matching syntax.
Upgrade or Fix Syntax
Upgrade to WebLogic Server and WebLogic Express version 8.1 Service Pack 2.
Upgrade to WebLogic Server and WebLogic Express version 7.0 Service Pack 5.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|BEA Systems Inc.||Affected||-||26 Apr 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by BEA Systems Inc.
This document was written by Damon Morda.
- CVE IDs: Unknown
- Date Public: 21 Apr 2004
- Date First Published: 26 Apr 2004
- Date Last Updated: 26 Apr 2004
- Severity Metric: 4.16
- Document Revision: 19
If you have feedback, comments, or additional information about this vulnerability, please send us email.