Sign-up

ID

VAR-201912-1252


CVE

CVE-2019-18573


TITLE

RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance Session fixation vulnerability in products

Trust: 0.8

sources: JVNDB: JVNDB-2019-013712

DESCRIPTION

The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a Session Fixation vulnerability. An authenticated malicious local user could potentially exploit this vulnerability as the session token is exposed as part of the URL. A remote attacker can gain access to victim’s session and perform arbitrary actions with privileges of the user within the compromised session

Trust: 1.71

sources: NVD: CVE-2019-18573 // JVNDB: JVNDB-2019-013712 // VULHUB: VHN-150933

AFFECTED PRODUCTS

vendor:dellmodel:rsa identity governance and lifecyclescope:eqversion:7.0

Trust: 1.0

vendor:dellmodel:rsa identity governance and lifecyclescope:eqversion:7.1.0

Trust: 1.0

vendor:dellmodel:rsa identity governance and lifecyclescope:eqversion:7.1.1

Trust: 1.0

vendor:dellmodel:rsa identity governance and lifecyclescope:eqversion:7.0.1

Trust: 1.0

vendor:dellmodel:rsa identity governance and lifecyclescope:eqversion:7.0.2

Trust: 1.0

vendor:dell emc old emcmodel:rsa identity governance and lifecyclescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-013712 // NVD: CVE-2019-18573

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-18573
value: HIGH

Trust: 1.0

security_alert@emc.com: CVE-2019-18573
value: HIGH

Trust: 1.0

NVD: CVE-2019-18573
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201912-885
value: HIGH

Trust: 0.6

VULHUB: VHN-150933
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-18573
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-150933
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-18573
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

security_alert@emc.com: CVE-2019-18573
baseSeverity: HIGH
baseScore: 8.7
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 5.8
version: 3.0

Trust: 1.0

NVD: CVE-2019-18573
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-150933 // JVNDB: JVNDB-2019-013712 // CNNVD: CNNVD-201912-885 // NVD: CVE-2019-18573 // NVD: CVE-2019-18573

PROBLEMTYPE DATA

problemtype:CWE-384

Trust: 1.9

problemtype:CWE-598

Trust: 1.0

sources: VULHUB: VHN-150933 // JVNDB: JVNDB-2019-013712 // NVD: CVE-2019-18573

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-885

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201912-885

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-013712

PATCH
title:DSA-2019-164: RSA Identity Governance and Lifecycle Product Security Update for Multiple Vulnerabilitiesurl:https://www.dell.com/support/security/en-us/details/DOC-109310/DSA-2019-164-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi
Trust: 0.8
title:Dell RSA Identity Governance and Lifecycle  and RSA Via Lifecycle and Governance Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=105804
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-013712 // 
            
            
            
            CNNVD: CNNVD-201912-885

EXTERNAL IDS
db:NVDid:CVE-2019-18573
Trust: 2.5
db:JVNDBid:JVNDB-2019-013712
Trust: 0.8
db:CNNVDid:CNNVD-201912-885
Trust: 0.7
db:CNVDid:CNVD-2020-22812
Trust: 0.1
db:VULHUBid:VHN-150933
Trust: 0.1
sources:
            
            
            VULHUB: VHN-150933 // 
            
            
            
            JVNDB: JVNDB-2019-013712 // 
            
            
            
            CNNVD: CNNVD-201912-885 // 
            
            
            
            NVD: CVE-2019-18573

REFERENCES
url:https://community.rsa.com/docs/doc-109310
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-18573
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18573
Trust: 0.8
url:https://www.dell.com/support/security/en-us/details/doc-109310/dsa-2019-164-rsa-identity-governance-and-lifecycle-product-security-update-for-multiple-vulnerabi
Trust: 0.6
sources:
            
            
            VULHUB: VHN-150933 // 
            
            
            
            JVNDB: JVNDB-2019-013712 // 
            
            
            
            CNNVD: CNNVD-201912-885 // 
            
            
            
            NVD: CVE-2019-18573

SOURCES
db:VULHUBid:VHN-150933
db:JVNDBid:JVNDB-2019-013712
db:CNNVDid:CNNVD-201912-885
db:NVDid:CVE-2019-18573

LAST UPDATE DATE
2024-11-23T22:16:41.798000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-150933date:2020-08-31T00:00:00
db:JVNDBid:JVNDB-2019-013712date:2020-01-15T00:00:00
db:CNNVDid:CNNVD-201912-885date:2020-09-02T00:00:00
db:NVDid:CVE-2019-18573date:2024-11-21T04:33:19.420

SOURCES RELEASE DATE
db:VULHUBid:VHN-150933date:2019-12-18T00:00:00
db:JVNDBid:JVNDB-2019-013712date:2020-01-15T00:00:00
db:CNNVDid:CNNVD-201912-885date:2019-12-18T00:00:00
db:NVDid:CVE-2019-18573date:2019-12-18T21:15:13.083