CVE-2024-21095 in Primavera P6 Enterprise Project Portfolio Management
Summary
by MITRE • 04/17/2024
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 19.12.0-19.12.22, 20.12.0-20.12.21, 21.12.0-21.12.18, 22.12.0-22.12.12 and 23.12.0-23.12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/18/2025
The vulnerability identified as CVE-2024-21095 represents a critical security flaw in Oracle Construction and Engineering's Primavera P6 Enterprise Project Portfolio Management software, specifically within its Web Access component. This vulnerability affects multiple version ranges including 19.12.0 through 19.12.22, 20.12.0 through 20.12.21, 21.12.0 through 21.12.18, 22.12.0 through 22.12.12, and 23.12.0 through 23.12.2, making it a widespread issue across several major releases of the enterprise project management platform. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or significant resources, posing a substantial risk to organizations relying on this critical infrastructure for project portfolio management.
The technical nature of this vulnerability stems from insufficient authentication mechanisms within the web access layer of Primavera P6, allowing unauthenticated attackers to gain unauthorized access to the system through standard HTTP network connections. This flaw operates at the network level with a CVSS base score of 8.2, indicating high severity with significant confidentiality impact and moderate integrity impact. The vulnerability's attack vector requires only network access via HTTP, making it particularly dangerous as it can be exploited from external networks without requiring any prior credentials or privileged access. The system's failure to properly validate authentication requests in the web interface creates an opening for malicious actors to bypass normal access controls and potentially gain complete control over the enterprise project portfolio management data.
The operational impact of this vulnerability extends beyond simple data access, as successful exploitation can result in unauthorized modification of critical project data including updates, inserts, and deletions. Organizations utilizing Primavera P6 for enterprise project portfolio management face substantial risk of data integrity compromise, where project schedules, resource allocations, budget information, and other critical business data could be altered without authorization. The potential for complete access to all accessible data means that attackers could potentially view sensitive project information across multiple organizational units, undermining both confidentiality and integrity of enterprise project data. This vulnerability particularly threatens organizations that rely heavily on Primavera P6 for mission-critical project management operations, where data manipulation could have significant financial and operational consequences.
Security professionals should consider this vulnerability in the context of the MITRE ATT&CK framework, particularly under the initial access and privilege escalation categories, as it provides unauthenticated network access that could serve as a foothold for more sophisticated attacks. The vulnerability aligns with CWE-287 which addresses improper authentication issues, and represents a clear example of how weak authentication controls can lead to complete system compromise. Organizations should immediately implement network-level mitigations including firewall rules to restrict access to the affected web services, disable unnecessary HTTP access where possible, and ensure all systems are updated to patched versions as soon as vendor releases are available. Additionally, network monitoring should be enhanced to detect suspicious access patterns to the web access component, and organizations should conduct thorough vulnerability assessments to identify any additional exposed services within their Primavera P6 environments. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) clearly indicates that this vulnerability can be exploited remotely without user interaction, making it particularly dangerous in environments where the system is accessible from external networks.