Security restrictions bypass in Oracle Primavera P6 Enterprise Project Portfolio Management



| Updated: 2020-01-24
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-3572
CWE-ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Primavera P6 Enterprise Project Portfolio Management
Server applications / Other server solutions

Vendor Oracle

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Security restrictions bypass

EUVDB-ID: #VU191

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-3572

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to partially access and partially modify data.

The vulnerability exists in Primavera P6 Enterprise Project Portfolio Management Web Access component. A remote authenticated attacker can partially access and partially modify data by exploiting a flaw in the Primavera P6 Enterprise Project Portfolio Management Web Access component.

Successful exploitation of this vulnerability may result in modification of system information and user access via network.

Mitigation

The vendor has issued a fix as part of the July 2016 Oracle Critical Patch Update.

Vulnerable software versions

Primavera P6 Enterprise Project Portfolio Management: 8.3.0.0 - 16.1.0.0

CPE2.3 External links

https://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###