Unpatched Bugs in Oracle iPlanet Open Door to Info-Disclosure, Injection
Two bugs, CVE-2020-9315 and CVE-2020-9314, found in Oracle’s iPlanet Web Server have been disclosed, both potentially allowing for sensitive data exposure and images onto web pages if exploited. Both vulnerabilities are found in the web administration console of iPlanet version 7, which has reached end-of-life and therefore will not be patched.
The first bug allows read-only access to any page without authentication within the administration console, resulting in sensitive data exposure of configuration information about the server including encryption keys and Java Virtual machine configuration. Researchers added that attackers can replace any URL for any page within the administration console by exploiting the bug.