Main Vulnerability Database Vulnerabilities #VU34955

Session Fixation in RSA Identity Governance and Lifecycle - CVE-2019-18573

Published: December 18, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU34955

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-18573

CWE-ID: CWE-384

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: RSA

Affected software:
RSA Identity Governance and Lifecycle

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a Session Fixation vulnerability. An authenticated malicious local user could potentially exploit this vulnerability as the session token is exposed as part of the URL. A remote attacker can gain access to victim’s session and perform arbitrary actions with privileges of the user within the compromised session.

How to mitigate CVE-2019-18573

Install update from vendor's website.

Sources

https://www.dell.com/support/security/en-us/details/DOC-109310/DSA-2019-164-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi

Session Fixation in RSA Identity Governance and Lifecycle - CVE-2019-18573

Detailed vulnerability description

How to mitigate CVE-2019-18573

Sources

Please verify you're human