CVE-2023-40571 CRITICAL

CVE-2023-40571: weblogic-framework Deserialization of Untrusted Data vulnerability

Vendor Dream0X01
Product weblogic-framework
Weakness CWE-502 · Unsafe deserialization
Published August 25, 2023
Last update October 2, 2024
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

weblogic-framework is a tool for detecting weblogic vulnerabilities. Versions 0.2.3 and prior do not verify the returned data packets, and there is a deserialization vulnerability which may lead to remote code execution. When weblogic-framework gets the command echo, it directly deserializes the data returned by the server without verifying it. At the same time, the classloader loads a lot of deserialization calls. In this case, the malicious serialized data returned by the server will cause remote code execution. Version 0.2.4 contains a patch for this issue.

Key dates

02Disclosure timeline

August 25, 2023 CVE published
October 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-2485 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated PHP Object Injection via PHAR to Arbitrary File Deletion CVE-2026-41855 Spring Framework Unsafe Deserialization via Jackson JMS Converters CVE-2025-30889 WordPress Testimonial Slider plugin <= 2.0.13 - PHP Object Injection vulnerability CVE-2024-8003 Go-Tribe gotribe-admin Log routes.go InitRoutes deserialization CVE-2026-20251 Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway