Vulnerability CVE-2019-3759

Vulnerability CVE-2019-3759

Published: 2019-09-11

Description:

The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system.

See advisories in our WLB2 database:

	Topic	Author	Date
High	RSA IG+L Aveksa 7.1.1 Remote Code Execution	Jakub Palaczynsk...	07.07.2020

Type:

CWE-94

(Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
5.5/10	4.9/10	8/10

Exploit range	Attack complexity	Authentication
Remote	Low	Single time
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	None

Affected software
DELL -> Rsa identity governance and lifecycle
DELL -> Rsa via lifecycle and governance

References:

https://www.dell.com/support/security/en-us/details/DOC-106943/DSA-2019-134-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi

Vulnerability CVE-2019-3759

See advisories in our WLB2 database:

High

RSA IG+L Aveksa 7.1.1 Remote Code Execution

CWE-94

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:N)

5.5/10

4.9/10

8/10

Remote

Low

Single time

Partial

Partial

None

Affected software

References: