PT-2018-13796 · Oracle · Oracle Webcenter Interaction

Ben N

Published

2018-09-18

Updated

2018-12-06

CVE-2018-16957

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Oracle WebCenter Interaction version 10.3.3

Description The Oracle WebCenter Interaction search service queryd.exe binary contains a hardcoded password i1g2s3c4. This password is used for authentication to the search service and cannot be customized. An adversary with network access to the service could exploit this to perform search queries and extract large quantities of sensitive information.

Recommendations For Oracle WebCenter Interaction version 10.3.3, consider restricting access to the search service to minimize the risk of exploitation, as the hardcoded password cannot be changed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2018-16957

Affected Products

Oracle Webcenter Interaction

PT-2018-13796 · Oracle · Oracle Webcenter Interaction

CVE-2018-16957

Weakness Enumeration

Related Identifiers

Affected Products

References · 4