The versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2024 CPU advisory.

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component:
    Integration (Apache James MIME4J)). Supported versions that are affected are 19.12.0-19.12.16,     20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.13 and 23.12.0-23.12.6. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Primavera Unifier. Successful     attacks of this vulnerability can result in unauthorized update, insert or delete access to some of     Primavera Unifier accessible data. (CVE-2024-21742)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Document     Management (Spring Framework)). Supported versions that are affected are 22.12.0-22.12.13 and     23.12.0-23.12.6. Easily exploitable vulnerability allows low privileged attacker with network access via     HTTP to compromise Primavera Unifier. Successful attacks require human interaction from a person other     than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or     delete access to some of Primavera Unifier accessible data as well as unauthorized read access to a subset     of Primavera Unifier accessible data. (CVE-2024-22262)

  - Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It     allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a     parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent     watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon     is exposed to the owner of the watcher. It's important to note that only the path is exposed by this     vulnerability, not the data of znode, but since znode path can contain sensitive information like user     name or login ID, this issue is potentially critical. Users are recommended to upgrade to version 3.9.2,     3.8.4 which fixes the issue. (CVE-2024-23944)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle Primavera Unifier (Jul 2024 CPU)

high Nessus Plugin ID 202594

Version 1.3