Lucene search

[email protected]CVE-2018-11049

HistoryJul 11, 2018 - 8:29 p.m.

CVE-2018-11049

2018-07-1120:29:00

CWE-427

[email protected]

web.nvd.nist.gov

cve-2018-11049

rsa

identity governance

lifecycle

via lifecycle

governance

img

uncontrolled search

vulnerability

installation scripts

environment variable

local authenticated

malicious user

root user

malicious code

targeted system.

6.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user to run malicious code on the targeted system.

Affected configurations

NVD

Node

emcrsa_identity_governance_and_lifecycleMatch7.1.0

emcrsa_identity_management_and_governanceMatch6.9.0

emcrsa_identity_management_and_governanceMatch6.9.1

rsarsa_via_lifecycle_and_governanceMatch7.0

CPENameOperatorVersion
emc:rsa_identity_governance_and_lifecycleemc rsa identity governance and lifecycleeq7.1.0
emc:rsa_identity_management_and_governanceemc rsa identity management and governanceeq6.9.0
emc:rsa_identity_management_and_governanceemc rsa identity management and governanceeq6.9.1
rsa:rsa_via_lifecycle_and_governancersa rsa via lifecycle and governanceeq7.0

CPE	Name	Operator	Version
emc:rsa_identity_governance_and_lifecycle	emc rsa identity governance and lifecycle	eq	7.1.0
emc:rsa_identity_management_and_governance	emc rsa identity management and governance	eq	6.9.0
emc:rsa_identity_management_and_governance	emc rsa identity management and governance	eq	6.9.1
rsa:rsa_via_lifecycle_and_governance	rsa rsa via lifecycle and governance	eq	7.0

CNA Affected

[
  {
    "product": "Pivotal Operations Manager",
    "vendor": "Pivotal",
    "versions": [
      {
        "status": "affected",
        "version": "RSA(r) Identity Governance and Lifecycle version 7.1.0, all patch levels (Hardware Appliance, Software Bundle, and  Virtual Application deployments only)"
      },
      {
        "status": "affected",
        "version": "RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels  (Hardware Appliance and Software Bundle (also known as Soft-Appliance) deployments only)."
      },
      {
        "status": "affected",
        "version": "RSA Via Lifecycle and Governance version 7.0, all patch levels (Hardware Appliance and Software Bundle (also known as  Soft-Appliance) deployments only)"
      },
      {
        "status": "affected",
        "version": "RSA Identity Management & Governance (RSA IMG) versions 6.9.0, 6.9.1, all patch levels (Hardware Appliance and Software  Bundle (also known as Soft-Appliance)  deployments only)"
      }
    ]
  }
]

References

seclists.org/fulldisclosure/2018/Jul/23

www.securityfocus.com/bid/104722

www.securitytracker.com/id/1041228

6.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for CVE-2018-11049

cvelist1 nvd1 prion1