CVE-2024-20986: 
Oracle WebLogic Server vulnerability analysis and mitigation

A vulnerability has been identified in Oracle WebLogic Server's Core component, tracked as CVE-2024-20986. The affected versions are 12.2.1.4.0 and 14.1.1.0.0. This vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. The vulnerability was disclosed in Oracle's January 2024 Critical Patch Update (Oracle CPU).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring no privileges (PR:N) but does need user interaction (UI:R). The scope is changed (S:C), with low impacts on both confidentiality and integrity (C:L, I:L) and no impact on availability (A:N). The complete CVSS vector is: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data, as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. The scope change indicates that the vulnerability can impact components beyond the vulnerable component (Oracle CPU).

Oracle has released patches for the affected versions (12.2.1.4.0 and 14.1.1.0.0) as part of the January 2024 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible (Oracle CPU).