Unauthenticated Access Vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management
CVE-2019-3020

9.3CRITICAL

Key Information:

Vendor: Oracle
Status: Primavera P6 Enterprise Project Portfolio Management
Vendor: CVE Published:; 16 October 2019

Summary

A significant vulnerability exists in Oracle's Primavera P6 Enterprise Project Portfolio Management, specifically in the web access component. The flaw allows an unauthenticated attacker with network access through HTTP to compromise the system. While successfully exploiting this vulnerability necessitates human interaction from someone other than the attacker, it poses a severe risk as it can lead to unauthorized creation, deletion, or modification of critical data. Moreover, successful exploitation can grant the attacker unauthorized access to a broad range of Primavera P6 data, which may also impact other interconnected Oracle products.

Affected Version(s)

Primavera P6 Enterprise Project Portfolio Management 15.1.0-15.2.18

Primavera P6 Enterprise Project Portfolio Management 16.1.0-16.2.18

Primavera P6 Enterprise Project Portfolio Management 17.1.0-17.12.14

References

http://www.oracle.com/technetwork/security-advisory/cpuoc...

x_refsource_MISC

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 16, 2019
Vulnerability Reserved
Dec 14, 2018