CVE-2020-14529 in Primavera Portfolio Managementinfo

Summary

by MITRE

Vulnerability in the Primavera Portfolio Management product of Oracle Construction and Engineering (component: Investor Module). Supported versions that are affected are 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0 and 19.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera Portfolio Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/31/2020

The vulnerability identified as CVE-2020-14529 affects Oracle Construction and Engineering's Primavera Portfolio Management software, specifically within the Investor Module component. This issue represents a significant security weakness that falls under CWE-284 - Improper Access Control, where insufficient authorization mechanisms allow unauthorized users to perform operations that should be restricted to privileged personnel. The affected versions span across multiple release lines including 16.1.0.0 through 16.1.5.1, 18.0.0.0 through 18.0.2.0, and 19.0.0.0, indicating this flaw has persisted across several major releases and represents a long-standing access control vulnerability. The CVSS 3.1 score of 5.4 reflects a medium severity classification with low attack complexity and requiring only low privileges, making it particularly dangerous as it can be exploited by individuals with minimal access rights.

The technical exploitation of this vulnerability occurs through HTTP network access and requires human interaction from users other than the attacker, which aligns with ATT&CK technique T1210 - Exploitation of Remote Services. This characteristic suggests that the attack vector likely involves social engineering or user manipulation rather than direct system compromise, making it more challenging to detect and prevent. The vulnerability enables unauthorized update, insert, and delete operations on sensitive data within the Primavera Portfolio Management system, while also allowing unauthorized read access to specific data subsets. This dual impact on both confidentiality and integrity represents a classic privilege escalation scenario where low-privilege users can gain elevated access rights to modify or extract sensitive project management information.

The operational impact of this vulnerability extends beyond the immediate Primavera Portfolio Management system as indicated by the CVSS vector's scope classification S:C, which shows that successful exploitation can significantly affect additional products. This cascading effect suggests that the compromised system may serve as a foothold for broader attacks within enterprise environments where Primavera is integrated with other business applications or databases. Organizations using this software may face data integrity issues, unauthorized modifications to project schedules, budget allocations, or resource assignments, potentially causing significant financial and operational disruptions. The vulnerability's ability to enable unauthorized data modifications combined with read access creates a comprehensive threat vector that can compromise both the integrity of project data and the confidentiality of sensitive business information.

Organizations should implement immediate mitigations including network segmentation to limit access to the affected system, enforcing strict access controls and authentication mechanisms, and conducting thorough user privilege reviews to ensure least-privilege principles are maintained. The recommended approach involves applying Oracle's security patches and updates as soon as they become available, while also implementing network monitoring to detect suspicious HTTP traffic patterns. Additionally, organizations should consider implementing user behavior analytics and access logging to identify potential exploitation attempts. From a compliance standpoint, this vulnerability impacts organizations subject to regulations requiring data integrity and access control measures, potentially violating standards such as SOC 2, ISO 27001, or industry-specific requirements for construction project management data protection. The vulnerability's classification as easily exploitable with low attack complexity makes it a priority for immediate remediation and monitoring within enterprise security programs.

Responsible

Oracle

Reservation

06/19/2020

Moderation

accepted

CPE

ready

EPSS

0.00699

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!