Skip to main content

Oracle

Vendor security scorecard – 7770 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 17939
7770
CVEs
609
Critical
1959
High
41
KEV
245
PoC
1053
Unpatched C/H
58.7%
Patch Rate
2.6%
Avg EPSS

Severity Breakdown

CRITICAL
609
HIGH
1959
MEDIUM
4405
LOW
796

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2012-4681 Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName methods, enabling complete sandbox escape for untrusted applets. Massively exploited by exploit kits in 2012. CRITICAL 9.8 94.1% 238
KEV PoC No patch
CVE-2013-2465 Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthenticated attackers to execute arbitrary code and escape security restrictions. Affects Oracle JRE 5.0 through Update 45, 6 through Update 45, 7 through Update 21, and OpenJDK 7. Confirmed actively exploited (CISA KEV) with 93.22% EPSS probability and publicly available exploit code. Oracle released patches in June 2013 CPU addressing the vulnerability through image channel verification corrections. CRITICAL 9.8 93.2% 237
KEV PoC
CVE-2011-3544 Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise through malicious Java Web Start applications and untrusted applets exploiting the Scripting component. CISA KEV confirms active exploitation in the wild. EPSS score of 92.59% (100th percentile) indicates extremely high probability of mass exploitation. Public exploit code exists, making this a critical priority for any environment running affected Java versions despite the vulnerability's age. CRITICAL 9.8 92.6% 237
KEV PoC
CVE-2012-1723 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. CRITICAL 9.8 94.1% 228
KEV PoC No patch
CVE-2013-0422 Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. CRITICAL 9.8 93.6% 228
KEV PoC No patch
CVE-2012-0507 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. CRITICAL 9.8 93.6% 228
KEV PoC No patch
CVE-2017-10271 Oracle WebLogic Server allows unauthenticated remote code execution through the WLS Security component's T3 protocol, massively exploited for cryptocurrency mining and botnet recruitment from 2017 onward. HIGH 7.5 94.4% 227
KEV PoC
CVE-2015-4852 The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. CRITICAL 9.8 92.9% 227
KEV PoC
CVE-2012-5076 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. CRITICAL 9.8 91.7% 226
KEV PoC
CVE-2012-3152 Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. CRITICAL 9.1 93.5% 224
KEV PoC
CVE-2016-8735 Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. CRITICAL 9.8 93.8% 213
KEV PoC
CVE-2013-0431 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. MEDIUM 5.3 91.6% 203
KEV PoC No patch
CVE-2017-3506 Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available. HIGH 7.4 94.4% 201
KEV PoC
CVE-2013-2423 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Actively exploited in the wild (cisa kev) and public exploit code available. LOW 3.7 93.4% 197
KEV PoC
CVE-2024-21182 Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. HIGH 7.5 87.7% 195
KEV PoC No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy