Multiple vulnerabilities in Oracle Primavera P6 Enterprise Project Portfolio Management
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2018-2960 CVE-2018-2961 CVE-2018-2962 CVE-2018-2963 CVE-2018-2849 CVE-2017-10131 CVE-2017-10160 CVE-2017-10038 CVE-2017-3579 CVE-2017-3583 CVE-2017-3503 CVE-2017-3324 CVE-2017-3263 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Primavera P6 Enterprise Project Portfolio Management Server applications / Other server solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU36865
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-2960
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 8.4, 15.x, 16.x and 17.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.4.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://www.securityfocus.com/bid/104826
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU36866
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-2961
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 8.4, 15.x, 16.x and 17.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.4.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://www.securityfocus.com/bid/104826
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU36867
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2962
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 8.4, 15.x, 16.x and 17.x. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 4.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.4.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://www.securityfocus.com/bid/104826
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU36868
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2963
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 8.4, 15.x and 16.x. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.4.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://www.securityfocus.com/bid/104826
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU37177
Risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-2849
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 16.2 and 17.1 - 17.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 16.2.0.0
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
https://www.securityfocus.com/bid/103835
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU38529
Risk: Medium
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:U/U:Green]
CVE-ID: CVE-2017-10131
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera P6 Enterprise Project Portfolio Management. CVSS 3.0 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.3.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://www.securityfocus.com/bid/99757
https://www.securitytracker.com/id/1038946
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU38536
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10160
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.3.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://www.securityfocus.com/bid/99793
https://www.securitytracker.com/id/1038946
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU38547
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-10038
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 15.1, 15.2, 16.1 and 16.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 15.1.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://www.securityfocus.com/bid/99751
https://www.securitytracker.com/id/1038946
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU39107
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-3579
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.3.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
https://www.securityfocus.com/bid/97886
https://www.securitytracker.com/id/1038289
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU39109
Risk: High
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3583
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.3.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
https://www.securityfocus.com/bid/97893
https://www.securitytracker.com/id/1038289
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Input validation error
EUVDB-ID: #VU39131
Risk: High
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber]
CVE-ID: CVE-2017-3503
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access (Apache Commons BeanUtils)). Supported versions that are affected are 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Primavera P6 Enterprise Project Portfolio Management. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.3.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
https://www.securityfocus.com/bid/97891
https://www.securitytracker.com/id/1038289
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Input validation error
EUVDB-ID: #VU39776
Risk: High
CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3324
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.2, 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera P6 Enterprise Project Portfolio Management. CVSS v3.0 Base Score 10.0 (Confidentiality, Integrity and Availability impacts).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.2.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
https://www.securityfocus.com/bid/95528
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Input validation error
EUVDB-ID: #VU39779
Risk: High
CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3263
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Team Member). Supported versions that are affected are 8.2, 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS v3.0 Base Score 8.1 (Confidentiality and Integrity impacts).
MitigationInstall update from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 8.2.0.0 - 16.2.0.0
CPE2.3- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4.0.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
https://www.securityfocus.com/bid/95535
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
