SB2025041683 - Multiple vulnerabilities in Primavera Unifier

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025041683

SB2025041683 - Multiple vulnerabilities in Primavera Unifier

Published: April 16, 2025

Security Bulletin ID SB2025041683
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2024-49771)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Platform (MPXJ) component in Primavera Unifier. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


2) Resource management error (CVE-ID: CVE-2024-57699)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling a specially crafted JSON input. A remote attacker can pass a large number of ’{’ characters to the application and perform a denial of service (DoS) attack.

Note, the vulnerability exists due to incomplete fix for #VU75044 (CVE-2023-1370).


3) Path traversal (CVE-ID: CVE-2024-38819)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.


Remediation

Install update from vendor's website.

References