Lucene search

DellCVE-2018-1245

HistoryJul 13, 2018 - 5:29 p.m.

CVE-2018-1245

2018-07-1317:29:00

CWE-863

dell

web.nvd.nist.gov

cve-2018-1245

rsa

identity lifecycle

governance

acm

authorization bypass

vulnerability

java security policies

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.002

Percentile

54.8%

JSON

RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security Policies. Once bypassed, a malicious user could potentially run arbitrary system commands at the OS level with application owner privileges on the affected system.

Affected configurations

Nvd

Vulners

Node

emcrsa_identity_governance_and_lifecycleMatch7.0.1

emcrsa_identity_governance_and_lifecycleMatch7.0.2

emcrsa_identity_governance_and_lifecycleMatch7.1.0

VendorProductVersionCPE
emcrsa_identity_governance_and_lifecycle7.0.1cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.0.1:*:*:*:*:*:*:*
emcrsa_identity_governance_and_lifecycle7.0.2cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.0.2:*:*:*:*:*:*:*
emcrsa_identity_governance_and_lifecycle7.1.0cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.1.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
emc	rsa_identity_governance_and_lifecycle	7.0.1	cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.0.1:::::::*
emc	rsa_identity_governance_and_lifecycle	7.0.2	cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.0.2:::::::*
emc	rsa_identity_governance_and_lifecycle	7.1.0	cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.1.0:::::::*

CNA Affected

[
  {
    "product": "RSA Identity Governance and Lifecycle",
    "vendor": "RSA",
    "versions": [
      {
        "status": "affected",
        "version": "version 7.0.1, all patch levels"
      },
      {
        "status": "affected",
        "version": "version 7.0.2, all patch levels"
      },
      {
        "status": "affected",
        "version": "version 7.1.0, all patch levels"
      }
    ]
  }
]

References

seclists.org/fulldisclosure/2018/Jul/46

www.securitytracker.com/id/1041287

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.002

Percentile

54.8%

JSON

Related for CVE-2018-1245