Vulnerability Description
The Oracle WebCenter Interaction 10.3.3 search service queryd.exe binary is compiled with the i1g2s3c4 hardcoded password. Authentication to the Oracle WCI search service uses this hardcoded password and cannot be customised by customers. An adversary able to access this service over a network could perform search queries to extract large quantities of sensitive information from the WCI installation. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Webcenter Interaction | 10.3.3 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/105350Third Party AdvisoryVDB Entry
- https://seclists.org/fulldisclosure/2018/Sep/22Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/105350Third Party AdvisoryVDB Entry
- https://seclists.org/fulldisclosure/2018/Sep/22Mailing ListThird Party Advisory
FAQ
What is CVE-2018-16957?
CVE-2018-16957 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Oracle WebCenter Interaction 10.3.3 search service queryd.exe binary is compiled with the i1g2s3c4 hardcoded password. Authentication to the Oracle WCI search service uses this hardcoded password ...
How severe is CVE-2018-16957?
CVE-2018-16957 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-16957?
Check the references section above for vendor advisories and patch information. Affected products include: Oracle Webcenter Interaction.