Lucene search
This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2021.NASLHistoryJan 22, 2021 - 12:00 a.m.
Oracle Primavera P6 Enterprise Project Portfolio Management (Jan 2021 CPU)
2021-01-2200:00:00
This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
22
According to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 16.2.x through 16.2.20.0, 17.12.x through 17.12.19, 18.8.x through 18.8.21, 19.12.1.x prior to 19.12.10. It is, therefore, affected by a vulnerability as referenced in the January 2021 CPU advisory.:
- Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web access (Spring Framework)). Supported versions that are affected are 16.1.0 through 16.2.20, 17.1.0 through 17.12.19, 18.1.0 through 18.8.21 and 19.12.0 through 19.12.10.
Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(145245);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");
script_cve_id("CVE-2020-5421");
script_xref(name:"CEA-ID", value:"CEA-2021-0004");
script_xref(name:"CEA-ID", value:"CEA-2021-0025");
script_name(english:"Oracle Primavera P6 Enterprise Project Portfolio Management (Jan 2021 CPU)");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a vulnerability");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)
installation running on the remote web server is 16.2.x through 16.2.20.0, 17.12.x through 17.12.19, 18.8.x through
18.8.21, 19.12.1.x prior to 19.12.10. It is, therefore, affected by a vulnerability as referenced in the January
2021 CPU advisory.:
- Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction
and Engineering (component: Web access (Spring Framework)). Supported versions that are affected are
16.1.0 through 16.2.20, 17.1.0 through 17.12.19, 18.1.0 through 18.8.21 and 19.12.0 through 19.12.10.
Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise
Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio
Management, attacks may significantly impact additional products. Successful attacks of this vulnerability
can result in unauthorized creation, deletion or modification access to critical data or all Primavera P6
Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of
Primavera P6 Enterprise Project Portfolio Management accessible data.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpujan2021cvrf.xml");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2021.html");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2021 Oracle Critical Patch Update advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5421");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/01/19");
script_set_attribute(attribute:"patch_publication_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/01/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("oracle_primavera_p6_eppm.nbin");
script_require_keys("installed_sw/Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", "www/weblogic");
script_require_ports("Services/www", 8004);
exit(0);
}
include('vcf.inc');
include('http.inc');
get_install_count(app_name:'Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)', exit_if_zero:TRUE);
port = get_http_port(default:8004);
get_kb_item_or_exit('www/weblogic/' + port + '/installed');
app_info = vcf::get_app_info(app:'Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)', port:port);
constraints = [
{ 'min_version' : '16.1.0', 'max_version' : '16.2.20', 'fixed_version' : '16.2.21.0' },
{ 'min_version' : '17.1.0', 'max_version' : '17.12.19', 'fixed_version' : '17.12.20.0' },
{ 'min_version' : '18.1.0', 'max_version' : '18.8.21', 'fixed_version' : '18.8.22.0' },
{ 'min_version' : '19.12.0', 'max_version' : '19.12.10', 'fixed_version' : '19.12.11.0' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_NOTE
);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | primavera_p6_enterprise_project_portfolio_management | cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management |
Related
ibm
ibm
Security Bulletin: Spring Framework vulnerabilities affect IBM Watson Text to Speech and Speech to Text (IBM Watson Speech Services for Cloud Pak for Data 1.2)
2020-12-16 17:55:27
veracode
veracode
Reflected File Download (RFD) Attack
2020-09-18 08:14:19
github
github
Improper Input Validation in Spring Framework
2021-04-30 17:29:51
osv
osv
CVE-2020-5421
2020-09-19 04:15:11
Improper Input Validation in Spring Framework
2021-04-30 17:29:51
cve
cve
CVE-2020-5421
2020-09-19 04:15:00
githubexploit
githubexploit
Exploit for Vulnerability in Pivotal Software Spring Framework
2021-01-10 12:26:00
ubuntucve
ubuntucve
CVE-2020-5421
2020-09-19 00:00:00
debiancve
debiancve
CVE-2020-5421
2020-09-19 04:15:00
redhatcve
redhatcve
CVE-2020-5421
2020-09-21 16:59:07
nessus
nessus
Oracle Primavera Gateway (Jan 2021 CPU)
2021-01-20 00:00:00
Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Jan 2021 CPU)
2021-01-28 00:00:00
prion
prion
Design/Logic Flaw
2020-09-19 04:15:00
redhat
redhat
(RHSA-2021:3140) Moderate: Red Hat Fuse 7.9.0 release and security update
2021-08-11 18:18:10
oracle
oracle
Oracle Critical Patch Update Advisory - January 2021
2021-01-19 00:00:00
Oracle Critical Patch Update Advisory - January 2024
2024-01-16 00:00:00
Oracle Critical Patch Update Advisory - October 2022
2022-10-18 00:00:00
Related for ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2021.NASL