{ "id": "CVE-2019-18573", "sourceIdentifier": "security_alert@emc.com", "published": "2019-12-18T21:15:13.083", "lastModified": "2020-08-31T16:15:13.053", "vulnStatus": "Modified", "descriptions": [ { "lang": "en", "value": "The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a Session Fixation vulnerability. An authenticated malicious local user could potentially exploit this vulnerability as the session token is exposed as part of the URL. A remote attacker can gain access to victim\u2019s session and perform arbitrary actions with privileges of the user within the compromised session." }, { "lang": "es", "value": "Los productos RSA Identity Governance and Lifecycle y RSA Via Lifecycle and Governance anteriores a 7.1.1 P03 contienen una vulnerabilidad de fijaci\u00f3n de sesi\u00f3n. Un usuario local malintencionado autenticado podr\u00eda aprovechar esta vulnerabilidad ya que el token de sesi\u00f3n se expone como parte de la URL. Un atacante remoto puede obtener acceso a la sesi\u00f3n de la v\u00edctima y realizar acciones arbitrarias con privilegios del usuario dentro de la sesi\u00f3n comprometida." } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.8, "impactScore": 5.9 } ], "cvssMetricV30": [ { "source": "security_alert@emc.com", "type": "Secondary", "cvssData": { "version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.3, "impactScore": 5.8 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8 }, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-384" } ] }, { "source": "security_alert@emc.com", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-598" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "54F243EB-5F06-4728-8815-93BDB5502F74" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "DD518D4A-157A-42D8-B958-8C4661CE6224" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "E2715882-4E9F-4E4C-A648-30B5D8B36C63" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "BC3F7997-46CC-4345-981A-4CA38A73BA8C" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.0:p01:*:*:*:*:*:*", "matchCriteriaId": "DD36DED8-5591-4A76-AD40-7DAED6EF1954" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.0:p02:*:*:*:*:*:*", "matchCriteriaId": "6CF203FD-8A59-4237-820A-FDBE4F28E4B9" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.0:p03:*:*:*:*:*:*", "matchCriteriaId": "08FC40D4-433A-4EDE-87B1-422D0473D6D8" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.0:p04:*:*:*:*:*:*", "matchCriteriaId": "5CF1C39E-D12B-44E4-8172-CD91F17E871B" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.0:p05:*:*:*:*:*:*", "matchCriteriaId": "31DCF79D-E1EA-4F65-B355-C821B0D78E73" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.0:p06:*:*:*:*:*:*", "matchCriteriaId": "82CFC850-4C98-42B5-AE77-592FD64E78E1" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.0:p07:*:*:*:*:*:*", "matchCriteriaId": "9DE35E51-0C69-41A8-9332-A9E411CE0B92" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.0:p08:*:*:*:*:*:*", "matchCriteriaId": "A8989E78-229D-47B1-A60F-50394D8DF244" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.1:-:*:*:*:*:*:*", "matchCriteriaId": "6E9E1900-FE59-440A-87D6-35DE7233EAB3" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.1:p01:*:*:*:*:*:*", "matchCriteriaId": "15371ECD-CACD-4E1F-854B-D5EA6D1BBC54" }, { "vulnerable": true, "criteria": "cpe:2.3:a:dell:rsa_identity_governance_and_lifecycle:7.1.1:p02:*:*:*:*:*:*", "matchCriteriaId": "ACD868A6-05CC-4BCF-BC53-EA4418DE5F45" } ] } ] } ], "references": [ { "url": "https://community.rsa.com/docs/DOC-109310", "source": "security_alert@emc.com" } ] }