CA Privileged Access Manager Information Disclosure / Modification

Credit: Kevin Kotas
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-287

CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20190212-01: Security Notice for CA Privileged Access Manager Issued: February 12, 2019 Last Updated: February 12, 2019 CA Technologies Support is alerting customers to a potential risk with CA Privileged Access Manager. A vulnerability exists that can allow a remote attacker to access sensitive information or modify configuration. CA published solutions to address the vulnerabilities. CVE-2019-7392 describes a vulnerability resulting from inadequate access controls for the components jk-manager and jk-status web service allowing a remote attacker to access the CA PAM Web-UI without authentication Risk Rating High Platform(s) All platforms Affected Products CA Privileged Access Manager 3.2.1 and prior releases CA Privileged Access Manager 3.1.2 and prior releases CA Privileged Access Manager 3.0.x How to determine if the installation is affected Customers may check the version of the product to determine if they are running a vulnerable release. Solution CA Privileged Access Manager 3.2.1 and prior releases: Update to CA Privileged Access Manager 3.2.2 or later CA Privileged Access Manager 3.1.2 and prior releases: Update to CA Privileged Access Manager 3.1.3 or later CA Privileged Access Manager 3.0.x: Contact CA support for guidance References CVE-2019-7392 - CA Privileged Access Manager jk-manager and jk-status access Acknowledgement CVE-2019-7392 - Bob Brust Change History Version 1.0: 2019-02-12 - Initial Release CA customers may receive product alerts and advisories by subscribing to Proactive Notifications. Customers who require additional information about this notice may contact CA Technologies Support at To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln <AT> Security Notices and PGP key Kevin Kotas Vulnerability Response Director CA Technologies Product Vulnerability Response Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsFVAwUBXGMTRLlJjor7ahBNAQhVNhAAkYOlhpMYNZL8N8ubUiRHiv6r3DUZi0J3 WnK3eYQLhbr5f2a1SWx0rC4qoItpH9ZguTwTeYzr4vSx12fmL9+yxPg5s8kMIu7G dhS10gaA+CyTqXc2Rv42y0j1Jp6XR8zPrUqacPSErrXfIOB+iRJPsCSp+pLrCX1W 6AT3N+9P9qhH8q51BBc0dE+BBMK6Hxanj7jp3gvo7Ei9ziHNN5bvNsJkp2CiPbLJ U8GFM/+3wkcwf+fz7uOy+FEmbpY5RoiGqgjJEqD0fXPhD9TjARoK+Z97QDx2dUyV JFmnQ3MlXg8KCIoHIoQu6yxPc5NBk/nV/4d7gSAAZKLOZ/bElGpSlTilLGYrgrF3 5PCcBqYuXVdDmLotxf0KpML9Eog+yxfI4YtsFbhmH3gH2T2Ux9sOvkRpD7edyTOR 9dQ3FdUIUYUjvEI3pVXVypqUwUmSoylY4WQQdpnkqmIWZox2eEAdHEFtbedAUCy+ MT5W175gh0Fcq/lRTGOJMCLwo7Dn+FMzy6yoLmiTYz2xZKiPsgaIhf2VelFuGjNi mgY4D+5UsjRklbrptFxv3DkMJxQKmAfK4+MsBdZ5C/HaJ2CtpysTk7Sky0Ryu853 J716IfB1kTABZfCgK+wxi8N/KsZoCYN5jbEURC8FzmHXaUCkodTiwatLKJ4Q0fC3 /Ght94KD7wM= =1+K8 -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top