Details of VAR-201704-1050

ID

VAR-201704-1050

CVE

CVE-2017-3508

TITLE

Oracle Primavera Products Suite of Primavera Gateway In Primavera Desktop Integration Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-003510

DESCRIPTION

Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration). Supported versions that are affected are 1.0, 1.1, 14.2, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows high privileged attacker with network access via HTTP to compromise Primavera Gateway. While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Primavera Gateway. CVSS 3.0 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). The vulnerability can be exploited over the 'HTTP' protocol. An attacker could exploit this vulnerability to take control of components and affect the availability of data. The following versions are affected: Oracle Primavera Products Suite 1.0, Release 1.1, Release 14.2, Release 15.1, Release 15.2, Release 16.1, Release 16.2

Trust: 2.34

sources: NVD: CVE-2017-3508 // JVNDB: JVNDB-2017-003510 // BID: 97883 // BID: 97889 // VULHUB: VHN-111711 // VULMON: CVE-2017-3508

AFFECTED PRODUCTS

vendor:	oracle	model:	primavera gateway	scope:	eq	version:	16.2	Trust: 2.7
vendor:	oracle	model:	primavera gateway	scope:	eq	version:	16.1	Trust: 2.7
vendor:	oracle	model:	primavera gateway	scope:	eq	version:	15.2	Trust: 2.7
vendor:	oracle	model:	primavera gateway	scope:	eq	version:	15.1	Trust: 2.7
vendor:	oracle	model:	primavera gateway	scope:	eq	version:	14.2	Trust: 2.7
vendor:	oracle	model:	primavera gateway	scope:	eq	version:	1.1	Trust: 2.7
vendor:	oracle	model:	primavera gateway	scope:	eq	version:	1.0	Trust: 2.7
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	8.4	Trust: 0.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	8.3	Trust: 0.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	16.2	Trust: 0.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	16.1	Trust: 0.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	15.2	Trust: 0.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	15.1	Trust: 0.3

sources: BID: 97883 // BID: 97889 // JVNDB: JVNDB-2017-003510 // CNNVD: CNNVD-201704-888 // NVD: CVE-2017-3508

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-3508
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-3508
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201704-888
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-111711
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-3508
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-3508
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-111711
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-3508
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-111711 // VULMON: CVE-2017-3508 // JVNDB: JVNDB-2017-003510 // CNNVD: CNNVD-201704-888 // NVD: CVE-2017-3508

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.9

sources: VULHUB: VHN-111711 // JVNDB: JVNDB-2017-003510 // NVD: CVE-2017-3508

THREAT TYPE

network

Trust: 0.6

sources: BID: 97883 // BID: 97889

TYPE

Unknown

Trust: 0.6

sources: BID: 97883 // BID: 97889

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003510

PATCH

title:	Oracle Critical Patch Update Advisory - April 2017	url:	http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html	Trust: 0.8
title:	Text Form of Oracle Critical Patch Update - April 2017 Risk Matrices	url:	http://www.oracle.com/technetwork/security-advisory/cpuapr2017verbose-3236619.html	Trust: 0.8
title:	Oracle Primavera Gateway Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69381	Trust: 0.6
title:	Oracle: Oracle Critical Patch Update Advisory - April 2017	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=143b3fb255063c81571469eaa3cf0a87	Trust: 0.1

sources: VULMON: CVE-2017-3508 // JVNDB: JVNDB-2017-003510 // CNNVD: CNNVD-201704-888

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3508	Trust: 2.9
db:	BID	id:	97883	Trust: 2.1
db:	BID	id:	97889	Trust: 2.1
db:	SECTRACK	id:	1038289	Trust: 1.8
db:	JVNDB	id:	JVNDB-2017-003510	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-888	Trust: 0.7
db:	VULHUB	id:	VHN-111711	Trust: 0.1
db:	VULMON	id:	CVE-2017-3508	Trust: 0.1

sources: VULHUB: VHN-111711 // VULMON: CVE-2017-3508 // BID: 97883 // BID: 97889 // JVNDB: JVNDB-2017-003510 // CNNVD: CNNVD-201704-888 // NVD: CVE-2017-3508

REFERENCES

url:	http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html	Trust: 2.5
url:	http://www.securityfocus.com/bid/97883	Trust: 1.9
url:	http://www.securityfocus.com/bid/97889	Trust: 1.8
url:	http://www.securitytracker.com/id/1038289	Trust: 1.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3508	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3508	Trust: 0.8
url:	http://www.oracle.com/index.html	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-111711 // VULMON: CVE-2017-3508 // BID: 97883 // BID: 97889 // JVNDB: JVNDB-2017-003510 // CNNVD: CNNVD-201704-888 // NVD: CVE-2017-3508

CREDITS

Oracle

Trust: 1.2

sources: BID: 97883 // BID: 97889 // CNNVD: CNNVD-201704-888

SOURCES

db:	VULHUB	id:	VHN-111711
db:	VULMON	id:	CVE-2017-3508
db:	BID	id:	97883
db:	BID	id:	97889
db:	JVNDB	id:	JVNDB-2017-003510
db:	CNNVD	id:	CNNVD-201704-888
db:	NVD	id:	CVE-2017-3508

LAST UPDATE DATE

2024-11-23T22:13:02.939000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-111711	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2017-3508	date:	2019-10-03T00:00:00
db:	BID	id:	97883	date:	2017-05-02T03:05:00
db:	BID	id:	97889	date:	2017-05-02T01:09:00
db:	JVNDB	id:	JVNDB-2017-003510	date:	2017-05-30T00:00:00
db:	CNNVD	id:	CNNVD-201704-888	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-3508	date:	2024-11-21T03:25:41.473

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-111711	date:	2017-04-24T00:00:00
db:	VULMON	id:	CVE-2017-3508	date:	2017-04-24T00:00:00
db:	BID	id:	97883	date:	2017-04-18T00:00:00
db:	BID	id:	97889	date:	2017-04-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-003510	date:	2017-05-30T00:00:00
db:	CNNVD	id:	CNNVD-201704-888	date:	2017-04-21T00:00:00
db:	NVD	id:	CVE-2017-3508	date:	2017-04-24T19:59:03.097