CVE-2007-2695

Name of the Vulnerable Software and Affected Versions BEA WebLogic Express and WebLogic Server versions 6.1 through SP7 BEA WebLogic Express and WebLogic Server versions 7.0 through SP7 BEA WebLogic Express and WebLogic Server versions 8.1 through SP5 BEA WebLogic Express and WebLogic Server version 9.0 BEA WebLogic Express and WebLogic Server version 9.1

Description The issue allows remote attackers to access administrative data or functionality when SecureProxy is enabled. This is due to the HttpClusterServlet and HttpProxyServlet processing external requests on behalf of a system identity.

Recommendations For BEA WebLogic Express and WebLogic Server versions 6.1 through SP7, consider disabling SecureProxy to prevent external requests from being processed on behalf of a system identity. For BEA WebLogic Express and WebLogic Server versions 7.0 through SP7, consider disabling SecureProxy to prevent external requests from being processed on behalf of a system identity. For BEA WebLogic Express and WebLogic Server versions 8.1 through SP5, consider disabling SecureProxy to prevent external requests from being processed on behalf of a system identity. For BEA WebLogic Express and WebLogic Server version 9.0, consider disabling SecureProxy to prevent external requests from being processed on behalf of a system identity. For BEA WebLogic Express and WebLogic Server version 9.1, consider disabling SecureProxy to prevent external requests from being processed on behalf of a system identity.