From be9cfcc79c7d9b6e087b9f5f83909bd6705bd877 Mon Sep 17 00:00:00 2001 From: DellEMCProductSecurity Date: Wed, 13 Mar 2019 15:31:37 -0400 Subject: [PATCH] Added CVE-2019-3711,3715,3716,3785 --- 2019/3xxx/CVE-2019-3711.json | 102 ++++++++++++++++++++++++++++------- 2019/3xxx/CVE-2019-3715.json | 89 +++++++++++++++++++++++++----- 2019/3xxx/CVE-2019-3716.json | 89 +++++++++++++++++++++++++----- 2019/3xxx/CVE-2019-3785.json | 98 +++++++++++++++++++++++++++------ 4 files changed, 320 insertions(+), 58 deletions(-) diff --git a/2019/3xxx/CVE-2019-3711.json b/2019/3xxx/CVE-2019-3711.json index 2e32fad8e3e..38a6d50c6ee 100644 --- a/2019/3xxx/CVE-2019-3711.json +++ b/2019/3xxx/CVE-2019-3711.json @@ -1,18 +1,84 @@ -{ - "CVE_data_meta" : { - "ASSIGNER" : "cve@mitre.org", - "ID" : "CVE-2019-3711", - "STATE" : "RESERVED" - }, - "data_format" : "MITRE", - "data_type" : "CVE", - "data_version" : "4.0", - "description" : { - "description_data" : [ - { - "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] - } -} +{ + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2019-02-28T05:00:00.000Z", + "ID": "CVE-2019-3711", + "STATE": "PUBLIC", + "TITLE": "DSA-2019-038: RSA® Authentication Manager Insecure Credential Management Vulnerability" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "RSA Authentication Manager", + "version": { + "version_data": [ + { + "affected": "<", + "version_name": "8.4", + "version_value": "P1" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A \nmalicious Operations Console administrator may be able to obtain the value of a domain password that another Operations \nConsole administrator had set previously and use it for attacks." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "insecure credential management" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://seclists.org/fulldisclosure/2019/Mar/5" + } + ] + }, + "source": { + "discovery": "UNKNOWN" + } +} \ No newline at end of file diff --git a/2019/3xxx/CVE-2019-3715.json b/2019/3xxx/CVE-2019-3715.json index da7718ea1e7..027fa1875cc 100644 --- a/2019/3xxx/CVE-2019-3715.json +++ b/2019/3xxx/CVE-2019-3715.json @@ -1,18 +1,83 @@ { - "CVE_data_meta" : { - "ASSIGNER" : "cve@mitre.org", - "ID" : "CVE-2019-3715", - "STATE" : "RESERVED" + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2019-03-09T05:00:00.000Z", + "ID": "CVE-2019-3715", + "STATE": "PUBLIC", + "TITLE": "Information Exposure Vulnerability" }, - "data_format" : "MITRE", - "data_type" : "CVE", - "data_version" : "4.0", - "description" : { - "description_data" : [ + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "RSA Archer", + "version": { + "version_data": [ + { + "affected": "<", + "version_value": "6.5 P1" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ { - "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "lang": "eng", + "value": "RSA Archer versions, prior to 6.5 SP1, contain an information exposure vulnerability. Users' session information is logged in plain text in the RSA Archer log files. An authenticated malicious local user with access to the log files may obtain the exposed information to use it in further attacks." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information Exposure Vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://seclists.org/fulldisclosure/2019/Mar/19" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } -} +} \ No newline at end of file diff --git a/2019/3xxx/CVE-2019-3716.json b/2019/3xxx/CVE-2019-3716.json index 04b881d2930..7aa5b0ca677 100644 --- a/2019/3xxx/CVE-2019-3716.json +++ b/2019/3xxx/CVE-2019-3716.json @@ -1,18 +1,83 @@ { - "CVE_data_meta" : { - "ASSIGNER" : "cve@mitre.org", - "ID" : "CVE-2019-3716", - "STATE" : "RESERVED" + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2019-03-09T05:00:00.000Z", + "ID": "CVE-2019-3716", + "STATE": "PUBLIC", + "TITLE": "Information Exposure Vulnerability" }, - "data_format" : "MITRE", - "data_type" : "CVE", - "data_version" : "4.0", - "description" : { - "description_data" : [ + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "RSA Archer", + "version": { + "version_data": [ + { + "affected": "<", + "version_value": "6.5 P2" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ { - "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "lang": "eng", + "value": "RSA Archer versions, prior to 6.5 SP2, contain an information exposure vulnerability. The database connection password may get logged in plain text in the RSA Archer log files. An authenticated malicious local user with access to the log files may obtain the exposed password to use it in further attacks." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Information Exposure Vulnerability" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://seclists.org/fulldisclosure/2019/Mar/19" + } + ] + }, + "source": { + "discovery": "UNKNOWN" } -} +} \ No newline at end of file diff --git a/2019/3xxx/CVE-2019-3785.json b/2019/3xxx/CVE-2019-3785.json index c2065c1693d..81575d80848 100644 --- a/2019/3xxx/CVE-2019-3785.json +++ b/2019/3xxx/CVE-2019-3785.json @@ -1,18 +1,84 @@ { - "CVE_data_meta" : { - "ASSIGNER" : "cve@mitre.org", - "ID" : "CVE-2019-3785", - "STATE" : "RESERVED" - }, - "data_format" : "MITRE", - "data_type" : "CVE", - "data_version" : "4.0", - "description" : { - "description_data" : [ - { - "lang" : "eng", - "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2019-03-12T00:00:00.000Z", + "ID": "CVE-2019-3785", + "STATE": "PUBLIC", + "TITLE": "Cloud Controller provides signed URL with write authorization to read only user" + }, + "source": { + "discovery": "UNKNOWN" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "CAPI", + "version": { + "version_data": [ + { + "affected": "<", + "version_name": "All", + "version_value": "1.78.0" + } + ] + } + } + ] + }, + "vendor_name": "Cloud Foundry" + } ] - } -} + } + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Cloud Foundry Cloud Controller, versions prior to 1.78.0, contain an endpoint with improper authorization. A remote authenticated malicious user with read permissions can request package information and receive a signed bit-service url that grants the user write permissions to the bit-service." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-285: Improper Authorization" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.cloudfoundry.org/blog/cve-2019-3785", + "name": "https://www.cloudfoundry.org/blog/cve-2019-3785" + } + ]}, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 6.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", + "version": "3.0" + } + } +} \ No newline at end of file