CVE-2023-21888 in Primavera Gatewayinfo

Summary

by MITRE • 01/18/2023

Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: WebUI). Supported versions that are affected are 18.8.0-18.8.15, 19.12.0-19.12.15, 20.12.0-20.12.10 and 21.12.0-21.12.8. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera Gateway. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Gateway, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Gateway accessible data as well as unauthorized read access to a subset of Primavera Gateway accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/12/2023

The vulnerability identified as CVE-2023-21888 affects Oracle Construction and Engineering's Primavera Gateway product, specifically within its WebUI component. This security flaw exists across multiple version ranges including 18.8.0 through 18.8.15, 19.12.0 through 19.12.15, 20.12.0 through 20.12.10, and 21.12.0 through 21.12.8, representing a significant attack surface that impacts organizations utilizing these construction project management platforms. The vulnerability classification as easily exploitable indicates that threat actors can leverage this weakness with minimal technical sophistication, making it particularly dangerous in production environments where such systems handle critical project data and financial information.

The technical nature of this vulnerability stems from insufficient access controls within the Primavera Gateway's web interface, allowing attackers with low privileges and network access via HTTP to potentially compromise the system. The CVSS 3.1 score of 5.4 reflects the moderate severity of the flaw, with confidentiality and integrity impacts rated as low but still significant enough to warrant immediate attention. The attack vector requires network access and low privilege levels, while the requirement for human interaction suggests that social engineering or targeted phishing campaigns may be necessary to initiate successful exploitation. The scope change aspect of this vulnerability indicates that successful attacks can extend beyond the immediate system boundaries, potentially affecting additional products within the broader Oracle Construction and Engineering ecosystem.

The operational impact of this vulnerability extends beyond simple data access, as it enables unauthorized update, insert, or delete operations against Primavera Gateway's accessible data, alongside unauthorized read access to sensitive information. This capability provides attackers with the means to manipulate project schedules, resource allocations, and financial data that are fundamental to construction project management. Organizations using Primavera Gateway may face significant disruption to their project planning processes, potential financial losses due to data manipulation, and compromised project timelines that could affect multiple stakeholders. The vulnerability's potential to impact additional products through scope change suggests that the compromise could extend to related systems within the Oracle construction suite, amplifying the overall business impact.

Security mitigations for this vulnerability should prioritize immediate patching of affected versions, as Oracle typically provides security updates to address such flaws. Network segmentation and access control measures can help limit the potential impact of exploitation attempts, while monitoring for unauthorized access attempts and anomalous data modifications should be implemented. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a clear violation of the principle of least privilege, as attackers can leverage low-privilege accounts to gain elevated access to system resources. Organizations should also consider implementing web application firewalls to detect and block malicious requests targeting the affected WebUI component, while conducting thorough security assessments of their Primavera Gateway deployments to identify any potential unauthorized modifications or access patterns that may indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques, specifically targeting the web application layer where attackers can manipulate system data through improperly controlled access points.

Reservation

12/17/2022

Disclosure

01/18/2023

Moderation

accepted

CPE

ready

EPSS

0.00377

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!