Sign-up

ID

VAR-201909-0097


CVE

CVE-2019-3759


TITLE

RSA Identity Governance and Lifecycle Software and Via Lifecycle and Governance Code injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-009363

DESCRIPTION

The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing code segments from external input data. Attackers can exploit this vulnerability to generate illegal code segments and modify the expected execution control flow of network systems or components

Trust: 1.71

sources: NVD: CVE-2019-3759 // JVNDB: JVNDB-2019-009363 // VULHUB: VHN-155194

AFFECTED PRODUCTS

vendor:dellmodel:rsa identity governance and lifecyclescope:eqversion:7.1.1

Trust: 1.0

vendor:dellmodel:rsa identity governance and lifecyclescope:eqversion:7.1.0

Trust: 1.0

vendor:dellmodel:rsa identity governance and lifecyclescope:eqversion:7.0.1

Trust: 1.0

vendor:dellmodel:rsa via lifecycle and governancescope:eqversion:7.0.0

Trust: 1.0

vendor:dellmodel:rsa identity governance and lifecyclescope:eqversion:7.0.2

Trust: 1.0

vendor:dell emc old emcmodel:rsa identity governance and lifecyclescope:ltversion:7.1.0 p08

Trust: 0.8

vendor:dell emc old emcmodel:rsa via lifecycle and governancescope:ltversion:7.1.0 p08

Trust: 0.8

sources: JVNDB: JVNDB-2019-009363 // NVD: CVE-2019-3759

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-3759
value: HIGH

Trust: 1.0

security_alert@emc.com: CVE-2019-3759
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-3759
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201909-585
value: HIGH

Trust: 0.6

VULHUB: VHN-155194
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-3759
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-155194
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-3759
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.1

Trust: 1.0

security_alert@emc.com: CVE-2019-3759
baseSeverity: MEDIUM
baseScore: 6.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.1
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2019-3759
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-155194 // JVNDB: JVNDB-2019-009363 // CNNVD: CNNVD-201909-585 // NVD: CVE-2019-3759 // NVD: CVE-2019-3759

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.9

sources: VULHUB: VHN-155194 // JVNDB: JVNDB-2019-009363 // NVD: CVE-2019-3759

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-585

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201909-585

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-009363

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-155194

PATCH
title:DSA-2019-134: RSA Identity Governance and Lifecycle Product Security Update for Multiple Vulnerabilitiesurl:https://www.dell.com/support/security/ja-jp/details/DOC-106943/DSA-2019-134-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi
Trust: 0.8
title:Dell RSA Identity Governance and Lifecycle  and RSA Via Lifecycle and Governance Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98166
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-009363 // 
            
            
            
            CNNVD: CNNVD-201909-585

EXTERNAL IDS
db:NVDid:CVE-2019-3759
Trust: 2.5
db:PACKETSTORMid:158324
Trust: 1.7
db:JVNDBid:JVNDB-2019-009363
Trust: 0.8
db:CNNVDid:CNNVD-201909-585
Trust: 0.7
db:EXPLOIT-DBid:48639
Trust: 0.7
db:VULHUBid:VHN-155194
Trust: 0.1
sources:
            
            
            VULHUB: VHN-155194 // 
            
            
            
            JVNDB: JVNDB-2019-009363 // 
            
            
            
            CNNVD: CNNVD-201909-585 // 
            
            
            
            NVD: CVE-2019-3759

REFERENCES
url:http://packetstormsecurity.com/files/158324/rsa-ig-l-aveksa-7.1.1-remote-code-execution.html
Trust: 2.3
url:https://community.rsa.com/docs/doc-106943
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-3759
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3759
Trust: 0.8
url:https://www.dell.com/support/security/en-us/details/doc-106943/dsa-2019-134-rsa-identity-governance-and-lifecycle-product-security-update-for-multiple-vulnerabi
Trust: 0.6
url:https://www.exploit-db.com/exploits/48639
Trust: 0.6
sources:
            
            
            VULHUB: VHN-155194 // 
            
            
            
            JVNDB: JVNDB-2019-009363 // 
            
            
            
            CNNVD: CNNVD-201909-585 // 
            
            
            
            NVD: CVE-2019-3759

CREDITS
Jakub Palaczynski, Lukasz Plonka
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201909-585

SOURCES
db:VULHUBid:VHN-155194
db:JVNDBid:JVNDB-2019-009363
db:CNNVDid:CNNVD-201909-585
db:NVDid:CVE-2019-3759

LAST UPDATE DATE
2024-11-23T22:55:27.858000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-155194date:2020-08-31T00:00:00
db:JVNDBid:JVNDB-2019-009363date:2019-09-18T00:00:00
db:CNNVDid:CNNVD-201909-585date:2020-09-02T00:00:00
db:NVDid:CVE-2019-3759date:2024-11-21T04:42:28.520

SOURCES RELEASE DATE
db:VULHUBid:VHN-155194date:2019-09-11T00:00:00
db:JVNDBid:JVNDB-2019-009363date:2019-09-18T00:00:00
db:CNNVDid:CNNVD-201909-585date:2019-09-11T00:00:00
db:NVDid:CVE-2019-3759date:2019-09-11T20:15:11.410