CVE-2020-2594 in Primavera P6 Enterprise Project Portfolio Management
Summary
by MITRE
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Project Manager). Supported versions that are affected are 16.2.0.0 - 16.2.19.3, 17.12.0.0 - 17.12.17.0, 18.8.0.0 - 18.8.18.0, 19.12.1.0 - 19.12.3.0 and 20.1.0.0 - 20.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera P6 Enterprise Project Portfolio Management. CVSS 3.0 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/08/2025
The vulnerability identified as CVE-2020-2594 resides within Oracle Construction and Engineering's Primavera P6 Enterprise Project Portfolio Management software, specifically within the Project Manager component. This vulnerability affects multiple version ranges including 16.2.0.0 through 16.2.19.3, 17.12.0.0 through 17.12.17.0, 18.8.0.0 through 18.8.18.0, 19.12.1.0 through 19.12.3.0, and 20.1.0.0 through 20.2.0.0, representing a significant attack surface across several major releases of the enterprise project management platform. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or extensive resources, making it particularly dangerous in production environments where such systems handle critical project data and business operations.
The technical flaw manifests as a security weakness that allows low privileged attackers to compromise the system through network access using HTTP protocols. This vulnerability requires human interaction from users other than the attacker, suggesting that social engineering or phishing tactics may be necessary to initiate the attack vector. The attack scenario typically involves an authenticated user inadvertently performing actions that trigger the vulnerability, making it particularly challenging to defend against since it exploits human behavior rather than purely technical weaknesses. The CVSS 3.0 base score of 6.5 reflects a moderate to high severity threat that impacts confidentiality, integrity, and availability aspects of the system.
The operational impact of this vulnerability extends beyond the immediate Primavera P6 environment and can significantly affect additional products within the Oracle Construction and Engineering ecosystem. Successful exploitation enables attackers to perform unauthorized update, insert, or delete operations on sensitive data within the system, potentially corrupting project schedules, resource allocations, and financial data. Additionally, attackers can achieve unauthorized read access to subsets of accessible data, exposing confidential project information, strategic planning details, and business-critical metrics. The vulnerability also permits partial denial of service conditions that can disrupt project management operations, affecting multiple stakeholders including project managers, executives, and resource planners who depend on the system's availability for decision-making processes.
Security professionals should recognize this vulnerability as aligning with CWE-284 (Improper Access Control) and potentially related to CWE-352 (Cross-Site Request Forgery) given the HTTP-based attack vector and the requirement for user interaction. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and credential access, as attackers leverage low-privileged accounts to gain expanded system access. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) indicates network-based exploitation with low attack complexity, requiring only low privilege levels and user interaction, while the scope change (S:C) demonstrates how the vulnerability can affect additional products beyond the primary target. Organizations should implement immediate mitigations including applying Oracle's security patches, enforcing strict access controls, monitoring for suspicious user activities, and conducting security awareness training to prevent successful exploitation through social engineering tactics.