CVE-2018-16957
moderate-risk
Published 2018-09-18
The Oracle WebCenter Interaction 10.3.3 search service queryd.exe binary is compiled with the i1g2s3c4 hardcoded password. Authentication to the Oracle WCI search service uses this hardcoded password and cannot be customised by customers. An adversary able to access this service over a network could perform search queries to extract large quantities of sensitive information from the WCI installation. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.
Do I need to act?
~
8.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Webcenter Interaction
Affected Vendors
References (4)
Third Party Advisory
http://www.securityfocus.com/bid/105350
Mailing List
https://seclists.org/fulldisclosure/2018/Sep/22
Third Party Advisory
http://www.securityfocus.com/bid/105350
Mailing List
https://seclists.org/fulldisclosure/2018/Sep/22
47
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
10/34 · Low
Exposure
5/34 · Minimal