Details of VAR-201708-0576

ID

VAR-201708-0576

CVE

CVE-2017-10131

TITLE

Oracle Primavera Products Suite of Primavera P6 Enterprise Project Portfolio Management In Web Access Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-006304

DESCRIPTION

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera P6 Enterprise Project Portfolio Management. CVSS 3.0 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L). (DoS) An attack may be carried out. A remote attacker could use this vulnerability to unauthorizedly read, update, insert or delete data, causing a denial of service and affecting the availability, confidentiality and integrity of the data. The vulnerability can be exploited over the 'HTTP' protocol. The 'Web Access' sub component is affected

Trust: 2.52

sources: NVD: CVE-2017-10131 // JVNDB: JVNDB-2017-006304 // CNVD: CNVD-2017-28263 // BID: 99757 // VULMON: CVE-2017-10131

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-28263

AFFECTED PRODUCTS

vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	8.3	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	8.4	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	16.2	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	16.1	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	15.2	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	15.1	Trust: 3.3

sources: CNVD: CNVD-2017-28263 // BID: 99757 // JVNDB: JVNDB-2017-006304 // CNNVD: CNNVD-201707-1377 // NVD: CVE-2017-10131

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-10131
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-10131
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-28263
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201707-1377
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2017-10131
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-10131
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-28263
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-10131
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.3
impactScore:	3.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-28263 // VULMON: CVE-2017-10131 // JVNDB: JVNDB-2017-006304 // CNNVD: CNNVD-201707-1377 // NVD: CVE-2017-10131

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.8

sources: JVNDB: JVNDB-2017-006304 // NVD: CVE-2017-10131

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-1377

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201707-1377

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-006304

PATCH

title:	Oracle Critical Patch Update Advisory - July 2017	url:	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	Trust: 0.8
title:	Text Form of Oracle Critical Patch Update - July 2017 Risk Matrices	url:	http://www.oracle.com/technetwork/security-advisory/cpujul2017verbose-3236625.html	Trust: 0.8
title:	Patch for Oracle Primavera P6 Enterprise Project Portfolio Management Unauthorized Operation Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/102782	Trust: 0.6
title:	Oracle Primavera P6 Enterprise Project Portfolio Management Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=72167	Trust: 0.6
title:	Oracle: Oracle Critical Patch Update Advisory - July 2017	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=2f446a7e1ea263c0c3a365776c6713f2	Trust: 0.1

sources: CNVD: CNVD-2017-28263 // VULMON: CVE-2017-10131 // JVNDB: JVNDB-2017-006304 // CNNVD: CNNVD-201707-1377

EXTERNAL IDS

db:	NVD	id:	CVE-2017-10131	Trust: 3.4
db:	BID	id:	99757	Trust: 2.6
db:	SECTRACK	id:	1038946	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-006304	Trust: 0.8
db:	CNVD	id:	CNVD-2017-28263	Trust: 0.6
db:	CNNVD	id:	CNNVD-201707-1377	Trust: 0.6
db:	VULMON	id:	CVE-2017-10131	Trust: 0.1

sources: CNVD: CNVD-2017-28263 // VULMON: CVE-2017-10131 // BID: 99757 // JVNDB: JVNDB-2017-006304 // CNNVD: CNNVD-201707-1377 // NVD: CVE-2017-10131

REFERENCES

url:	http://www.securityfocus.com/bid/99757	Trust: 2.4
url:	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	Trust: 2.1
url:	http://www.securitytracker.com/id/1038946	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-10131	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-10131	Trust: 0.8
url:	http://www.oracle.com/index.html	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-28263 // VULMON: CVE-2017-10131 // BID: 99757 // JVNDB: JVNDB-2017-006304 // CNNVD: CNNVD-201707-1377 // NVD: CVE-2017-10131

CREDITS

Or Hanuka of Motorola Solutions, Tzachy Horesh of Motorola Solutions.

Trust: 0.9

sources: BID: 99757 // CNNVD: CNNVD-201707-1377

SOURCES

db:	CNVD	id:	CNVD-2017-28263
db:	VULMON	id:	CVE-2017-10131
db:	BID	id:	99757
db:	JVNDB	id:	JVNDB-2017-006304
db:	CNNVD	id:	CNNVD-201707-1377
db:	NVD	id:	CVE-2017-10131

LAST UPDATE DATE

2024-08-14T13:30:09.706000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-28263	date:	2017-09-26T00:00:00
db:	VULMON	id:	CVE-2017-10131	date:	2019-10-03T00:00:00
db:	BID	id:	99757	date:	2017-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-006304	date:	2017-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201707-1377	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-10131	date:	2019-10-03T00:03:26.223

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-28263	date:	2017-09-26T00:00:00
db:	VULMON	id:	CVE-2017-10131	date:	2017-08-08T00:00:00
db:	BID	id:	99757	date:	2017-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-006304	date:	2017-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201707-1377	date:	2017-07-27T00:00:00
db:	NVD	id:	CVE-2017-10131	date:	2017-08-08T15:29:04.257