Vulnerability Name: CVE-2017-3508 (CCN-124887) Assigned: 2016-12-06 Published: 2017-04-18 Updated: 2019-10-03 Summary: Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration). Supported versions that are affected are 1.0, 1.1, 14.2, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows high privileged attacker with network access via HTTP to compromise Primavera Gateway. While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Primavera Gateway. CVSS 3.0 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) . CVSS v3 Severity: 9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
9.1 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 7.9 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-noinfo Vulnerability Consequences: Other References: Source: MITRECVE-2017-3508 Oracle Critical Patch Update Advisory - April 2017 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html 97883 Oracle Primavera Gateway CVE-2017-3508 Remote Security Vulnerability 97889 RETIRED: Oracle Primavera Products CVE-2017-3508 Remote Security Vulnerability 1038289 oracle-cpuapr2017-cve20173508(124887) Vulnerable Configuration: Configuration 1 :cpe:/a:oracle:primavera_gateway:1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:1.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:15.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:oracle:primavera_gateway:1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:1.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:15.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:* BACK
oracle primavera gateway 1.0
oracle primavera gateway 1.1
oracle primavera gateway 14.2
oracle primavera gateway 15.1
oracle primavera gateway 15.2
oracle primavera gateway 16.1
oracle primavera gateway 16.2
oracle primavera gateway 1.0
oracle primavera gateway 1.1
oracle primavera gateway 14.2
oracle primavera gateway 15.1
oracle primavera gateway 15.2
oracle primavera gateway 16.1
oracle primavera gateway 16.2
Denotes that component is vulnerable