Multiple vulnerabilities in RSA Identity Management and Governance

Published: 2015-05-01 | Updated: 2020-08-09

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2016-0918 CVE-2015-0532
CWE-ID	CWE-200 CWE-264
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	RSA Identity Management and Governance Client/Desktop applications / Encryption software
Vendor	RSA

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU40090

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-0918

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x before 6.9.1 P15 and RSA Via Lifecycle and Governance before 7.0.0 P04 allow remote authenticated users to obtain User Detail Popup information via a modified URL.

Mitigation

Install update from vendor's website.

Vulnerable software versions

RSA Identity Management and Governance: 6.9.0 - 6.9.1

CPE2.3

External links

https://seclists.org/bugtraq/2016/Sep/52
https://www.securityfocus.com/bid/93108
https://www.securitytracker.com/id/1036896

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU40800

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-0532

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls