Information disclosure in RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance - CVE-2019-3763
Published: September 11, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35501
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-3763
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: RSA
Affected software:
RSA Identity Governance and Lifecycle
RSA Via Lifecycle and Governance
RSA Identity Governance and Lifecycle
RSA Via Lifecycle and Governance
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain an information exposure vulnerability. The Office 365 user password may get logged in a plain text format in the Office 365 connector debug log file. An authenticated malicious local user with access to the debug logs may obtain the exposed password to use in further attacks.
How to mitigate CVE-2019-3763
Install update from vendor's website.