GHSA-j9r3-w4r5-872h · Severity: medium — The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and...
The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.
Conclusion & alert: CVE-2004-2320 is rated Moderate Risk (48.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.56%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 4.03% | 2.56% | -1.47% |
| 2 | 2026-05-31 | 4.15% | 4.03% | -0.12% |
| 3 | 2026-05-29 | — | 4.15% | — |
Full EPSS history (12 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| 5.8 | 2.0 | MEDIUM |
|
8.6 | 4.9 | [email protected] |
GHSA-j9r3-w4r5-872h · Severity: medium — The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and...
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
— | — | https://access.redhat.com/security/cve/CVE-2004-2320 |
The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required. For more information please see: http://www.apacheweek.com/issues/03-01-24#news
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:*:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:*:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp1:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp1:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp1:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp10:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp10:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp10:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp11:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp11:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp11:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp12:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp12:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp12:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp13:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp13:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp13:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp2:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp2:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp2:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp3:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp3:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp3:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp4:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp4:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp4:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp5:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp5:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp5:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp6:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp6:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp6:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp7:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp7:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp7:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp8:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp8:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp8:win32:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp9:*:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp9:express:*:*:*:*:* |
| bea | weblogic_server | 5.1 | cpe:2.3:a:bea:weblogic_server:5.1:sp9:win32:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:*:*:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:*:express:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:*:win32:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp1:*:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp1:express:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp1:win32:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp2:*:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp2:express:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp2:win32:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp3:*:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp3:express:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp3:win32:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp4:*:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp4:express:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp4:win32:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp5:*:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp5:express:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp5:win32:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp6:*:*:*:*:*:* |
| bea | weblogic_server | 6.1 | cpe:2.3:a:bea:weblogic_server:6.1:sp6:win32:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:*:*:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:*:express:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:*:win32:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp1:*:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp1:express:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp1:win32:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp2:*:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp2:express:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp2:win32:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp3:*:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp3:express:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp3:win32:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp4:*:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp4:express:*:*:*:*:* |
| bea | weblogic_server | 7.0 | cpe:2.3:a:bea:weblogic_server:7.0:sp4:win32:*:*:*:*:* |
| bea | weblogic_server | 8.1 | cpe:2.3:a:bea:weblogic_server:8.1:*:*:*:*:*:*:* |
| bea | weblogic_server | 8.1 | cpe:2.3:a:bea:weblogic_server:8.1:*:express:*:*:*:*:* |
| bea | weblogic_server | 8.1 | cpe:2.3:a:bea:weblogic_server:8.1:*:win32:*:*:*:*:* |
| bea | weblogic_server | 8.1 | cpe:2.3:a:bea:weblogic_server:8.1:sp1:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://dev2dev.bea.com/pub/advisory/68 | Patch Vendor Advisory |
| http://secunia.com/advisories/10726 | Vendor Advisory |
| http://www.kb.cert.org/vuls/id/867593 | Third Party Advisory US Government Resource |
| http://www.osvdb.org/3726 | |
| http://www.securityfocus.com/bid/9506 | Patch |
| http://www.securitytracker.com/alerts/2004/Jan/1008866.html | Patch |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/14959 |