CVE-2015-8965
moderate-risk
Published 2017-04-06
Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code that exists in the classpath, such as test code or administration code. The issue exists because the ilog.views.faces.IlvFacesController servlet in jviews-framework-all.jar does not require explicit configuration of servlets that can be called.
Do I need to act?
~
1.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (4)
References (6)
Vendor Advisory
https://rwkbp.makekb.com/?View=entry&EntryID=2521
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Vendor Advisory
https://rwkbp.makekb.com/?View=entry&EntryID=2521
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
46
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
4/34 · Minimal
Exposure
10/34 · Low