CVE-2018-2849 - Vulnerability Details - OpenCVE

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 16.2 and 17.1 - 17.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Oracle	Primavera P6 Enterprise Project Portfolio Management

Configuration 1 [-]

OR	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:::::::*

No data.

References

Link	Providers
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.securityfocus.com/bid/103835

History

Sat, 21 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2018-04-19T02:00:00.000Z

Updated: 2024-10-03T20:12:19.997Z

Reserved: 2017-12-15T00:00:00.000Z

Link: CVE-2018-2849

Vulnrichment

Updated: 2024-08-05T04:29:44.955Z

NVD

Status : Modified

Published: 2018-04-19T02:29:06.333

Modified: 2024-11-21T04:04:36.747

Link: CVE-2018-2849

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Primavera P6 Enterprise Project Portfolio Management", "vendor": "Oracle Corporation", "versions": [{"status": "affected", "version": "16.2"}, {"status": "affected", "version": "17.1 \u2013 17.12"}]}], "datePublic": "2018-03-27T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 16.2 and 17.1 - 17.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)."}], "problemTypes": [{"descriptions": [{"description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-04-19T09:57:01.000Z", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "103835", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103835"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2018-2849", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Primavera P6 Enterprise Project Portfolio Management", "version": {"version_data": [{"version_affected": "=", "version_value": "16.2"}, {"version_affected": "=", "version_value": "17.1 \u2013 17.12"}]}}]}, "vendor_name": "Oracle Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 16.2 and 17.1 - 17.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data."}]}]}, "references": {"reference_data": [{"name": "103835", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103835"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:29:44.955Z"}, "title": "CVE Program Container", "references": [{"name": "103835", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103835"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T19:26:32.153892Z", "id": "CVE-2018-2849", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T20:12:19.997Z"}}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2018-2849", "datePublished": "2018-04-19T02:00:00.000Z", "dateReserved": "2017-12-15T00:00:00.000Z", "dateUpdated": "2024-10-03T20:12:19.997Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.securityfocus.com/bid/103835", "name": "103835", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"]}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:29:44.955Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-2849", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-03T19:26:32.153892Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T19:27:14.357Z"}}], "cna": {"affected": [{"vendor": "Oracle Corporation", "product": "Primavera P6 Enterprise Project Portfolio Management", "versions": [{"status": "affected", "version": "16.2"}, {"status": "affected", "version": "17.1 \u2013 17.12"}]}], "datePublic": "2018-03-27T00:00:00.000Z", "references": [{"url": "http://www.securityfocus.com/bid/103835", "name": "103835", "tags": ["vdb-entry", "x_refsource_BID"]}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 16.2 and 17.1 - 17.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data."}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2018-04-19T09:57:01.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "16.2", "version_affected": "="}, {"version_value": "17.1 \u2013 17.12", "version_affected": "="}]}, "product_name": "Primavera P6 Enterprise Project Portfolio Management"}]}, "vendor_name": "Oracle Corporation"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/103835", "name": "103835", "refsource": "BID"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 16.2 and 17.1 - 17.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data."}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2018-2849", "STATE": "PUBLIC", "ASSIGNER": "secalert_us@oracle.com"}}}}, "cveMetadata": {"cveId": "CVE-2018-2849", "state": "PUBLISHED", "dateUpdated": "2024-10-03T20:12:19.997Z", "dateReserved": "2017-12-15T00:00:00.000Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2018-04-19T02:00:00.000Z", "assignerShortName": "oracle"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "B10992BE-CF6A-41E7-AD42-7314FC3D236D", "versionEndIncluding": "17.12", "versionStartIncluding": "17.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "A046CC2C-445F-4336-8810-930570B4FEC6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Construction and Engineering Suite (subcomponent: Web Access). Supported versions that are affected are 16.2 and 17.1 - 17.12. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.0 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el componente Primavera P6 Enterprise Project Portfolio Management de Oracle Construction and Engineering Suite (subcomponente: Web Access). Las versiones compatibles que se han visto afectadas son la 16.2 y de la 17.1 a la 17.12. Una vulnerabilidad f\u00e1cilmente explotable permite que un atacante con un nivel bajo de privilegios que tenga acceso a red por HTTP comprometa la seguridad de Primavera P6 Enterprise Project Portfolio Management. Aunque la vulnerabilidad est\u00e1 presente en Primavera P6 Enterprise Project Portfolio Management, los ataques podr\u00edan afectar seriamente a productos adicionales. Los ataques exitosos a esta vulnerabilidad pueden resultar en un acceso no autorizado a datos de suma importancia o un acceso completo a todos los datos accesibles de Primavera P6 Enterprise Project Portfolio Management. CVSS 3.0 Base Score 7.7 (impactos en la confidencialidad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)."}], "id": "CVE-2018-2849", "lastModified": "2024-11-21T04:04:36.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-04-19T02:29:06.333", "references": [{"source": "secalert_us@oracle.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103835"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103835"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}