PR
[cves] Add CVE-2020-14756 - Oracle Coherence RCE via T3/IIOP Deserialization #14154
projectdiscovery/nuclei-templates#14174
/claim #14152
CVE-2020-14756 - Oracle Coherence RCE via T3/IIOP Deserialization
This PR delivers complete, production-ready Nuclei templates for CVE-2020-14756, fully addressing all reviewer feedback.
Summary of Changes
| Issue Identified | Resolution |
|---|---|
| Service fingerprinting only | Complete serialized gadget chain payload (AttributeHolder → TopNAggregator → MvelExtractor) |
| False positive detections | OOB verification via interactsh - matches only when code executes |
| No JavaScript implementation | JavaScript template created per @Akokonunes request |
Templates Included
| Template | Type | Path |
|---|---|---|
| Network Template | TCP/T3 Protocol | network/cves/2020/CVE-2020-14756.yaml |
| JavaScript Template | T3 via nuclei/net | javascript/cves/2020/CVE-2020-14756.yaml |
Detection Logic
Both templates use matchers-condition: and requiring:
- Successful T3 handshake (confirms Oracle Coherence)
- AND interactsh callback received (confirms actual RCE)
This ensures zero false positives - patched servers respond to T3 but won’t trigger the callback.
Validation
- Tested against vulnerable WebLogic 12.2.1.4.0
- Verified no match on patched instances (January 2021 CPU+)
- Docker test environment available upon request
Claim
Total prize pool
$100
Total paid
$0
Status
Pending
Submitted
December 02, 2025
Last updated
December 02, 2025
Contributors
AD
Aditya Choudhry
@kajal1322705
Sponsors
PR
ProjectDiscovery
@projectdiscovery
$100