Unauthenticated Access Vulnerability in Primavera P6 by Oracle
CVE-2025-21528

4.3MEDIUM

Key Information:

Vendor: Oracle
Status: Primavera P6 Enterprise Project Portfolio Management
Vendor: CVE Published:; 21 January 2025

Summary

A vulnerability exists in Oracle's Primavera P6 Enterprise Project Portfolio Management that permits unauthenticated attackers with network access via HTTP to exploit the system. This flaw enables unauthorized updates, inserts, or deletions of accessible data given that some level of human interaction from a non-attacker is required. The affected versions include multiple releases from 20.12 to 23.12, making it crucial for users to assess their installation for potential risks.

Affected Version(s)

Primavera P6 Enterprise Project Portfolio Management 20.12.1.0 <= 20.12.21.5

Primavera P6 Enterprise Project Portfolio Management 21.12.1.0 <= 21.12.20.0

Primavera P6 Enterprise Project Portfolio Management 22.12.1.0 <= 22.12.16.0

References

https://www.oracle.com/security-alerts/cpujan2025.html

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 21, 2025
Vulnerability Reserved
Dec 24, 2024