PatchSiren cyber security CVE debrief
CVE-2017-3263 Oracle CVE debrief
CVE-2017-3263 is a high-severity Oracle Primavera P6 Enterprise Project Portfolio Management issue in the Team Member subcomponent. According to NVD, a low-privileged attacker with network access via HTTP could compromise affected systems, with the main impact being unauthorized access to and modification of Primavera P6 EPPM data. The vulnerable versions listed by NVD are 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2.
- Vendor
- Oracle
- Product
- CVE-2017-3263
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Organizations running Oracle Primavera P6 Enterprise Project Portfolio Management, especially teams exposing the application over HTTP and those using the affected Team Member component. Administrators and security teams responsible for access control, patching, and monitoring of project and portfolio management data should treat this as important.
Technical summary
NVD characterizes the issue as network-reachable over HTTP with low privileges required and no user interaction, using CVSS v3.0 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N for a base score of 8.1. The affected product is Oracle Primavera P6 Enterprise Project Portfolio Management, specifically the Team Member subcomponent, and NVD lists the impacted versions as 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2. NVD does not assign a specific CWE beyond NVD-CWE-noinfo.
Defensive priority
High
Recommended defensive actions
- Confirm whether any deployed Oracle Primavera P6 Enterprise Project Portfolio Management instances are running versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, or 16.2.
- Review Oracle's January 2017 Critical Patch Update advisory referenced by NVD and apply the vendor-recommended remediation path for affected deployments.
- Restrict network exposure to Primavera P6 EPPM, especially HTTP access, to trusted administrative and business networks only.
- Audit Team Member access and monitor for unexpected create, delete, or modify activity involving critical Primavera P6 data.
- Validate that least-privilege accounts are used for all application access and remove unnecessary privileges where possible.
Evidence notes
This debrief is based on the supplied NVD record and its referenced Oracle advisory/BID links. NVD states the issue affects Primavera P6 Enterprise Project Portfolio Management Team Member and lists impacted versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N with base score 8.1. NVD also labels the weakness as NVD-CWE-noinfo, so no more specific CWE should be assumed.
Official resources
-
CVE-2017-3263 CVE record
CVE.org
-
CVE-2017-3263 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the CVE/NVD record on 2017-01-27; the supplied NVD entry was last modified on 2026-05-13.