#VU35498 Code Injection in RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance - CVE-2019-3759
Published: September 11, 2019 / Updated: June 17, 2021
Vulnerability identifier: #VU35498
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2019-3759
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
RSA Identity Governance and Lifecycle
RSA Via Lifecycle and Governance
RSA Identity Governance and Lifecycle
RSA Via Lifecycle and Governance
Software vendor:
RSA
RSA
Description
The vulnerability allows a remote authenticated user to read and manipulate data.
The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system.
Remediation
Install update from vendor's website.