CVE-2017-3500
CVE-2017-3500 is a high-severity vulnerability in Oracle Primavera Gateway with a CVSS 3.x base score of 8.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: High (CVSS 3.x base score 8.7)
- CVSS v2: 4.9
- EPSS exploit prediction: 2% (78th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Oracle Primavera Gateway
- Published:
- Last modified:
Description
Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration). Supported versions that are affected are 1.0, 1.1, 14.2, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows high privileged attacker with network access via HTTP to compromise Primavera Gateway. While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera Gateway accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway. CVSS 3.0 Base Score 8.7 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H).
Frequently asked questions
- What is CVE-2017-3500?
- Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration). Supported versions that are affected are 1.0, 1.1, 14.2, 15.1, 15.2, 16.1 and 16.2. Easily "exploitable" vulnerability allows high privileged attacker with network access via HTTP to compromise Primavera Gateway. While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Primavera Gateway accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway. CVSS 3.0 Base Score 8.7 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H).
- How severe is CVE-2017-3500?
- CVE-2017-3500 has a CVSS 3.x base score of 8.7, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability high.
- Is CVE-2017-3500 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (78th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2017-3500?
- CVE-2017-3500 primarily affects Oracle Primavera Gateway. In total, 7 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-3500?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2017-3500 published?
- CVE-2017-3500 was published on 2017-04-24 and last updated on 2026-06-17.
References
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
- http://www.securityfocus.com/bid/97881
- http://www.securitytracker.com/id/1038289
Affected products (7)
- cpe:2.3:a:oracle:primavera_gateway:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*
More vulnerabilities in Oracle Primavera Gateway
- CVE-2019-17571 — Critical (CVSS 9.8): Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be…
- CVE-2019-17195 — Critical (CVSS 9.8): Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in…
- CVE-2019-17531 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is…
- CVE-2019-17495 — Critical (CVSS 9.8): A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the…
- CVE-2019-16943 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is…
- CVE-2019-16942 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is…