Details of VAR-202301-1360

ID

VAR-202301-1360

CVE

CVE-2023-21888

TITLE

Oracle Construction and Engineering of Primavera Gateway In WebUI Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-001206

DESCRIPTION

Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: WebUI). Supported versions that are affected are 18.8.0-18.8.15, 19.12.0-19.12.15, 20.12.0-20.12.10 and 21.12.0-21.12.8. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera Gateway. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Gateway, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Gateway accessible data as well as unauthorized read access to a subset of Primavera Gateway accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Trust: 1.8

sources: NVD: CVE-2023-21888 // JVNDB: JVNDB-2023-001206 // VULHUB: VHN-448705 // VULMON: CVE-2023-21888

AFFECTED PRODUCTS

vendor:	oracle	model:	primavera gateway	scope:	gte	version:	20.12.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	20.12.10	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	18.8.15	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	18.8.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	19.12.15	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	19.12.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	21.12.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	21.12.8	Trust: 1.0
vendor:	オラクル	model:	primavera gateway	scope:	eq	version:	19.12.0 to 19.12.15	Trust: 0.8
vendor:	オラクル	model:	primavera gateway	scope:	eq	version:	20.12.0 to 20.12.10	Trust: 0.8
vendor:	オラクル	model:	primavera gateway	scope:	eq	version:	-	Trust: 0.8
vendor:	オラクル	model:	primavera gateway	scope:	eq	version:	18.8.0 to 18.8.15	Trust: 0.8
vendor:	オラクル	model:	primavera gateway	scope:	eq	version:	21.12.0 to 21.12.8	Trust: 0.8

sources: JVNDB: JVNDB-2023-001206 // NVD: CVE-2023-21888

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-21888
value:	MEDIUM
Trust: 1.0
secalert_us@oracle.com:	CVE-2023-21888
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2023-001206
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202301-1331
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-21888
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2023-001206
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-001206 // CNNVD: CNNVD-202301-1331 // NVD: CVE-2023-21888 // NVD: CVE-2023-21888

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-001206 // NVD: CVE-2023-21888

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202301-1331

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202301-1331

PATCH

title:	Oracle Critical Patch Update Advisory - January 2023 Oracle Critical Patch Update	url:	https://www.oracle.com/security-alerts/cpujan2023.html	Trust: 0.8
title:	Oracle Construction and Engineering Suite Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=221853	Trust: 0.6

sources: JVNDB: JVNDB-2023-001206 // CNNVD: CNNVD-202301-1331

EXTERNAL IDS

db:	NVD	id:	CVE-2023-21888	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-001206	Trust: 0.8
db:	CNNVD	id:	CNNVD-202301-1331	Trust: 0.6
db:	VULHUB	id:	VHN-448705	Trust: 0.1
db:	VULMON	id:	CVE-2023-21888	Trust: 0.1

sources: VULHUB: VHN-448705 // VULMON: CVE-2023-21888 // JVNDB: JVNDB-2023-001206 // CNNVD: CNNVD-202301-1331 // NVD: CVE-2023-21888

REFERENCES

url:	https://www.oracle.com/security-alerts/cpujan2023.html	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-21888	Trust: 1.4
url:	https://cxsecurity.com/cveshow/cve-2023-21888/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-448705 // VULMON: CVE-2023-21888 // JVNDB: JVNDB-2023-001206 // CNNVD: CNNVD-202301-1331 // NVD: CVE-2023-21888

SOURCES

db:	VULHUB	id:	VHN-448705
db:	VULMON	id:	CVE-2023-21888
db:	JVNDB	id:	JVNDB-2023-001206
db:	CNNVD	id:	CNNVD-202301-1331
db:	NVD	id:	CVE-2023-21888

LAST UPDATE DATE

2024-08-14T13:52:49.629000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-448705	date:	2023-01-25T00:00:00
db:	VULMON	id:	CVE-2023-21888	date:	2023-01-18T00:00:00
db:	JVNDB	id:	JVNDB-2023-001206	date:	2023-01-31T02:44:00
db:	CNNVD	id:	CNNVD-202301-1331	date:	2023-02-02T00:00:00
db:	NVD	id:	CVE-2023-21888	date:	2023-01-25T14:26:33.427

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-448705	date:	2023-01-18T00:00:00
db:	VULMON	id:	CVE-2023-21888	date:	2023-01-18T00:00:00
db:	JVNDB	id:	JVNDB-2023-001206	date:	2023-01-31T00:00:00
db:	CNNVD	id:	CNNVD-202301-1331	date:	2023-01-17T00:00:00
db:	NVD	id:	CVE-2023-21888	date:	2023-01-18T00:15:16.620