Details of VAR-201708-0724

ID

VAR-201708-0724

CVE

CVE-2017-10160

TITLE

Oracle Primavera Products Suite of Primavera P6 Enterprise Project Portfolio Management In Web Access Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2017-006307

DESCRIPTION

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). An attacker could use this vulnerability to unauthorizedly read data, affecting the confidentiality of the data. The vulnerability can be exploited over the 'HTTP' protocol. The 'Web Access' sub component is affected

Trust: 2.52

sources: NVD: CVE-2017-10160 // JVNDB: JVNDB-2017-006307 // CNVD: CNVD-2017-20295 // BID: 99793 // VULMON: CVE-2017-10160

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-20295

AFFECTED PRODUCTS

vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	8.3	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	8.4	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	16.2	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	16.1	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	15.2	Trust: 3.3
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	eq	version:	15.1	Trust: 3.3

sources: CNVD: CNVD-2017-20295 // BID: 99793 // JVNDB: JVNDB-2017-006307 // CNNVD: CNNVD-201707-1286 // NVD: CVE-2017-10160

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-10160
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-10160
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-20295
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201707-1286
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2017-10160
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-10160
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-20295
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-10160
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-20295 // VULMON: CVE-2017-10160 // JVNDB: JVNDB-2017-006307 // CNNVD: CNNVD-201707-1286 // NVD: CVE-2017-10160

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.8

sources: JVNDB: JVNDB-2017-006307 // NVD: CVE-2017-10160

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-1286

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201707-1286

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-006307

PATCH

title:	Oracle Critical Patch Update Advisory - July 2017	url:	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	Trust: 0.8
title:	Text Form of Oracle Critical Patch Update - July 2017 Risk Matrices	url:	http://www.oracle.com/technetwork/security-advisory/cpujul2017verbose-3236625.html	Trust: 0.8
title:	Patch for Unknown vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management	url:	https://www.cnvd.org.cn/patchInfo/show/99788	Trust: 0.6
title:	Oracle Primavera P6 Enterprise Project Portfolio Management Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=72100	Trust: 0.6
title:	Oracle: Oracle Critical Patch Update Advisory - July 2017	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=2f446a7e1ea263c0c3a365776c6713f2	Trust: 0.1

sources: CNVD: CNVD-2017-20295 // VULMON: CVE-2017-10160 // JVNDB: JVNDB-2017-006307 // CNNVD: CNNVD-201707-1286

EXTERNAL IDS

db:	NVD	id:	CVE-2017-10160	Trust: 3.4
db:	BID	id:	99793	Trust: 2.6
db:	SECTRACK	id:	1038946	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-006307	Trust: 0.8
db:	CNVD	id:	CNVD-2017-20295	Trust: 0.6
db:	CNNVD	id:	CNNVD-201707-1286	Trust: 0.6
db:	VULMON	id:	CVE-2017-10160	Trust: 0.1

sources: CNVD: CNVD-2017-20295 // VULMON: CVE-2017-10160 // BID: 99793 // JVNDB: JVNDB-2017-006307 // CNNVD: CNNVD-201707-1286 // NVD: CVE-2017-10160

REFERENCES

url:	http://www.securityfocus.com/bid/99793	Trust: 2.4
url:	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	Trust: 2.1
url:	http://www.securitytracker.com/id/1038946	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-10160	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-10160	Trust: 0.8
url:	http://www.oracle.com/index.html	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-20295 // VULMON: CVE-2017-10160 // BID: 99793 // JVNDB: JVNDB-2017-006307 // CNNVD: CNNVD-201707-1286 // NVD: CVE-2017-10160

CREDITS

Or Hanuka of Motorola Solutions and Tzachy Horesh of Motorola Solutions.

Trust: 0.9

sources: BID: 99793 // CNNVD: CNNVD-201707-1286

SOURCES

db:	CNVD	id:	CNVD-2017-20295
db:	VULMON	id:	CVE-2017-10160
db:	BID	id:	99793
db:	JVNDB	id:	JVNDB-2017-006307
db:	CNNVD	id:	CNNVD-201707-1286
db:	NVD	id:	CVE-2017-10160

LAST UPDATE DATE

2024-08-14T13:30:09.823000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-20295	date:	2017-08-10T00:00:00
db:	VULMON	id:	CVE-2017-10160	date:	2019-10-03T00:00:00
db:	BID	id:	99793	date:	2017-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-006307	date:	2017-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201707-1286	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-10160	date:	2019-10-03T00:03:26.223

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-20295	date:	2017-08-10T00:00:00
db:	VULMON	id:	CVE-2017-10160	date:	2017-08-08T00:00:00
db:	BID	id:	99793	date:	2017-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-006307	date:	2017-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201707-1286	date:	2017-07-26T00:00:00
db:	NVD	id:	CVE-2017-10160	date:	2017-08-08T15:29:04.897