Vulnerability identifier: #VU13865
Vulnerability risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-77
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
RSA Identity Governance and Lifecycle
Client/Desktop applications /
Encryption software
Vendor: RSA
Description
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.
The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can bypass Java Security Policies to inject and execute arbitrary system commands on the target system with the privileges of the target application.
Mitigation
Update to version 7.0.2 P07, 7.1.0 P01.
Vulnerable software versions
RSA Identity Governance and Lifecycle: 7.0.1 - 7.1.0
External links
http://seclists.org/fulldisclosure/2018/Jul/46
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.