CVE-2024-21095 – This vulnerability in Oracle Primavera P6 Enter... (How to Fix)

Q: What is the severity of CVE-2024-21095?

CVE-2024-21095 has a CVSS score of 8.2 (HIGH). This vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management allows unauthenticated attackers with network access via HTTP to access sensitive data and modify some data. It affects multiple versions of the Web Access component across releases 19.12.0 through 23.12.2. The vulnerability has high confidentiality and integrity impacts with a CVSS score of 8.2.

📋 TL;DR

This vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management allows unauthenticated attackers with network access via HTTP to access sensitive data and modify some data. It affects multiple versions of the Web Access component across releases 19.12.0 through 23.12.2. The vulnerability has high confidentiality and integrity impacts with a CVSS score of 8.2.

💻 Affected Systems

Products:

Oracle Primavera P6 Enterprise Project Portfolio Management

Versions: 19.12.0-19.12.22, 20.12.0-20.12.21, 21.12.0-21.12.18, 22.12.0-22.12.12, 23.12.0-23.12.2

Operating Systems: All supported platforms running Primavera P6 Web Access

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Web Access component. All default configurations are vulnerable if running affected versions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Primavera P6 accessible data including critical project portfolio information, financial data, and unauthorized modifications to project records.

🟠

Likely Case

Unauthorized access to sensitive project data, exposure of confidential business information, and potential data manipulation affecting project integrity.

🟢

If Mitigated

Limited impact through network segmentation and access controls, but still potential for data exposure if perimeter defenses are breached.

🌐 Internet-Facing: HIGH - Unauthenticated HTTP access means internet-facing instances are immediately vulnerable to exploitation.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Oracle describes it as 'easily exploitable' with no authentication required via HTTP. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update April 2024

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2024.html

Restart Required: Yes

Instructions:

1. Download appropriate patches from Oracle Support. 2. Apply patches according to Oracle documentation. 3. Restart Primavera P6 services. 4. Verify patch application through version checks.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Primavera P6 Web Access to only trusted IP addresses

Web Application Firewall

all

Implement WAF rules to block suspicious HTTP requests to Primavera P6 endpoints

🧯 If You Can't Patch

Isolate Primavera P6 Web Access behind VPN or zero-trust network access
Implement strict network access controls and monitor all traffic to Primavera P6 endpoints

🔍 How to Verify

Check if Vulnerable:

Check Primavera P6 version against affected ranges. Review system logs for unauthorized access attempts.

Check Version:

Check Primavera P6 version through administrative interface or application logs

Verify Fix Applied:

Verify version is updated beyond affected ranges. Test that unauthenticated HTTP requests no longer return sensitive data.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated HTTP requests accessing sensitive endpoints
Unusual data access patterns from unfamiliar IP addresses

Network Indicators:

HTTP traffic to Primavera P6 from unauthorized sources
Unusual data volumes being transferred

SIEM Query:

source="primavera-p6" AND (http_status=200 OR http_status=302) AND user="anonymous" AND (uri CONTAINS "/data" OR uri CONTAINS "/api")

📊 Metadata

CVE ID: CVE-2024-21095

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-200

Published: April 16, 2024

Last Updated: June 18, 2025

🔗 References

https://www.oracle.com/security-alerts/cpuapr2024.html Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2024.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21095, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Primavera P6 Enterprise Project Portfolio Management by Oracle

Primavera P6 Enterprise Project Portfolio Management by Oracle

Primavera P6 Enterprise Project Portfolio Management by Oracle

Primavera P6 Enterprise Project Portfolio Management by Oracle

Primavera P6 Enterprise Project Portfolio Management by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Web Application Firewall

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities