Multiple vulnerabilities in Primavera P6 Enterprise Project Portfolio Management
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-2707 CVE-2019-17091 CVE-2020-2556 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Primavera P6 Enterprise Project Portfolio Management Server applications / Other server solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU24497
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2707
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the WebAccess component in Primavera P6 Enterprise Project Portfolio Management. A remote authenticated user can exploit this vulnerability to read and manipulate data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrimavera P6 Enterprise Project Portfolio Management: 15.1.0.0 - 18.8.16
External linkshttp://www.oracle.com/security-alerts/cpujan2020.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU24469
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-17091
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Maps (Mojarra) component in Oracle Communications Unified Inventory Management. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationInstall updates from vendor's website.
Primavera P6 Enterprise Project Portfolio Management: 15.1.0.0 - 19.12.0
External linkshttp://www.oracle.com/security-alerts/cpujan2020.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU24495
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-2556
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to modify certain data.
The vulnerability exists due to improper input validation within the Core component in Primavera P6 Enterprise Project Portfolio Management. A local authenticated user can exploit this vulnerability to modify certain data.
MitigationPrimavera P6 Enterprise Project Portfolio Management: 16.2.0.0 - 20.1.0.0
External linkshttp://www.oracle.com/security-alerts/cpujan2020.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
