Vulnerability Name:

CVE-2018-11049

Assigned:2018-07-05
Published:2018-07-05
Updated:2018-09-10
Summary:RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user to run malicious code on the targeted system.
CVSS v3 Severity:7.3 High (CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
6.4 Medium (Temporal CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.3 High (CCN CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
6.4 Medium (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-427
References:Source: FULLDISC
Type: VENDOR_ADVISORY
20180705 DSA-2018-117 RSA Identity Governance and Lifecycle Uncontrolled Search Path Vulnerability

Source: BID
Type: VENDOR_ADVISORY
104722

Source: SECTRACK
Type: VENDOR_ADVISORY
1041228

Source: XF
Type: UNKNOWN
rsa-identity-cve201811049-priv-esc(145954)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:emc:rsa_identity_governance_and_lifecycle:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:emc:rsa_identity_management_and_governance:6.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:emc:rsa_identity_management_and_governance:6.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:emc:rsa_via_lifecycle_and_governance:7.0:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:emc:rsa_via_lifecycle_and_governance:7.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    emc rsa identity governance and lifecycle 7.1.0
    emc rsa identity management and governance 6.9.0
    emc rsa identity management and governance 6.9.1
    emc rsa via lifecycle and governance 7.0
    emc rsa via lifecycle and governance 7.0