#VU7495 Arbitrary file upload
Vulnerability identifier: #VU7495
Vulnerability risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
RSA Via Lifecycle and Governance
Client/Desktop applications /
Encryption software
RSA Identity Governance and Lifecycle
Client/Desktop applications /
Encryption software
RSA Identity Management and Governance
Client/Desktop applications /
Encryption software
Vendor: RSA
Description
The vulnerability allows a remote attacker with administrator privileges to upload arbitrary files.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can upload a specially crafted file that may contain a malicious code and execute it on the system.
Successful exploitation of the vulnerability may result in system compromise.
Mitigation
Update RSA Identity Governance and Lifecycle to versions 7.0.1 P03, 7.0.2 P01.
Update RSA Via Lifecycle and Governance to version 7.0.1 P03.
Update RSA Identity Management and Governance (RSA IMG) to version 7.0.1 P03.
Vulnerable software versions
RSA Via Lifecycle and Governance: 7.0
RSA Identity Governance and Lifecycle: 7.0.1 - 7.0.2
RSA Identity Management and Governance: 6.9.1
External links
http://seclists.org/fulldisclosure/2017/Jul/24
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
