CVE-2024-21095

Summary

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 19.12.0-19.12.22, 20.12.0-20.12.21, 21.12.0-21.12.18, 22.12.0-22.12.12 and 23.12.0-23.12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

Affected Software

VendorProductVersion RangeStatus
Oracle CorporationPrimavera P6 Enterprise Project Portfolio Management19.12.0 <= 19.12.22affected
Oracle CorporationPrimavera P6 Enterprise Project Portfolio Management20.12.0 <= 20.12.21affected
Oracle CorporationPrimavera P6 Enterprise Project Portfolio Management21.12.0 <= 21.12.18affected
Oracle CorporationPrimavera P6 Enterprise Project Portfolio Management22.12.0 <= 22.12.12affected
Oracle CorporationPrimavera P6 Enterprise Project Portfolio Management23.12.0 <= 23.12.2affected

Weaknesses

  • Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References