CVE-2018-2966

Current Description

Vulnerability in the Primavera Unifier component of Oracle Construction and Engineering Suite (subcomponent: Core). Supported versions that are affected are 16.x, 17.x and 18.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera Unifier. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Unifier, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Primavera Unifier accessible data. CVSS 3.0 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).

Basic Data

PublishedJuly 18, 2018
Last ModifiedOctober 03, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-noinfo
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionREQUIRED
CVSS 3 - ScopeCHANGED
CVSS 3 - Confidentiality ImpactNONE
CVSS 3 - Integrity ImpactHIGH
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score7.4
CVSS 3 - Base SeverityHIGH
Exploitability Score2.8
Base SeverityHIGH

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOraclePrimavera Unifier16.1*******
    2.3ApplicationOraclePrimavera Unifier16.2*******
    2.3ApplicationOraclePrimavera Unifier16.2.1.0*******
    2.3ApplicationOraclePrimavera Unifier16.2.4.0*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOraclePrimavera Unifier17.1*******
    2.3ApplicationOraclePrimavera Unifier17.2*******
    2.3ApplicationOraclePrimavera Unifier17.3*******
    2.3ApplicationOraclePrimavera Unifier17.4*******
    2.3ApplicationOraclePrimavera Unifier17.5*******
    2.3ApplicationOraclePrimavera Unifier17.6*******
    2.3ApplicationOraclePrimavera Unifier17.7*******
    2.3ApplicationOraclePrimavera Unifier17.8*******
    2.3ApplicationOraclePrimavera Unifier17.9*******
    2.3ApplicationOraclePrimavera Unifier17.10*******
    2.3ApplicationOraclePrimavera Unifier17.11*******
    2.3ApplicationOraclePrimavera Unifier17.12*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOraclePrimavera Unifier18.1*******
    2.3ApplicationOraclePrimavera Unifier18.2*******
    2.3ApplicationOraclePrimavera Unifier18.3*******
    2.3ApplicationOraclePrimavera Unifier18.4*******
    2.3ApplicationOraclePrimavera Unifier18.5*******
    2.3ApplicationOraclePrimavera Unifier18.6*******
    2.3ApplicationOraclePrimavera Unifier18.7*******

Vulnerable Software List

VendorProductVersions
Oracle Primavera Unifier 16.1, 16.2, 16.2.1.0, 16.2.4.0, 17.1, 17.10, 17.11, 17.12, 17.2, 17.3, 17.4, 17.5, 17.6, 17.7, 17.8, 17.9, 18.1, 18.2, 18.3, 18.4, 18.5, 18.6, 18.7

References

NameSourceURLTags
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlCONFIRMPatch Vendor Advisory
104823http://www.securityfocus.com/bid/104823BID