CVE-2017-10149 in Primavera Unifier
Summary
by MITRE
Vulnerability in the Primavera Unifier component of Oracle Primavera Products Suite (subcomponent: Platform). Supported versions that are affected are 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1 and 16.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Primavera Unifier. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Unifier, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Unifier accessible data as well as unauthorized read access to a subset of Primavera Unifier accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/03/2021
The vulnerability identified as CVE-2017-10149 resides within the Primavera Unifier component of Oracle Primavera Products Suite, specifically within the Platform subcomponent. This security flaw affects multiple versions including 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, and 16.2, representing a significant attack surface across the product lifecycle. The vulnerability classification as easily exploitable indicates that attackers can leverage this weakness with minimal technical sophistication, making it particularly dangerous in environments where network access is readily available.
The technical nature of this vulnerability stems from insufficient access controls and authentication mechanisms within the Primavera Unifier platform. Attackers with high privileged network access via HTTP can exploit this weakness to compromise the system's integrity and confidentiality. The vulnerability's CVSS 3.0 base score of 4.8 reflects its moderate severity, with confidentiality and integrity impacts rated as low but still significant. The attack vector requires network access with AV:N, meaning the attack can be initiated from remote locations without requiring physical access to the system. The low attack complexity AC:L indicates that exploitation does not require specialized circumstances or advanced technical skills.
The operational impact of this vulnerability extends beyond the immediate Primavera Unifier environment, potentially affecting additional products within the Oracle Primavera ecosystem. This cascading effect aligns with ATT&CK technique T1068 which describes the exploitation of local and remote system vulnerabilities. Successful exploitation enables unauthorized update, insert, or delete operations on sensitive data within the system, while also providing unauthorized read access to a subset of accessible data. The requirement for human interaction from a person other than the attacker suggests that social engineering or user manipulation may be necessary to complete the attack chain, which could involve phishing campaigns or targeted manipulation of legitimate users.
The vulnerability's classification as CWE-284 (Improper Access Control) directly relates to the insufficient privilege checks and authentication mechanisms that allow unauthorized data manipulation. This weakness creates a pathway for attackers to potentially compromise the integrity of project management data, which could have severe consequences in construction and project management environments where Primavera Unifier is extensively used. The impact on data integrity and confidentiality represents a significant risk to organizations relying on accurate project data for decision-making processes. Organizations implementing mitigation strategies should consider network segmentation, robust access controls, and regular security assessments to protect against this vulnerability. The CVSS vector indicates that while the attack requires high privileges, the human interaction requirement provides an opportunity for defensive measures through user education and awareness programs.