CVE-2017-8004

EUVD-2017-16974

17.07.2017, 14:29

The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products (RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels; RSA Via Lifecycle and Governance version 7.0, all patch levels; RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels) allow an application administrator to upload arbitrary files that may potentially contain a malicious code. The malicious file could be then executed on the affected system with the privileges of the user the application is running under.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.2 HIGH	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 75%

Affected Products (NVD)

Vendor	Product	Version
emc	rsa_identity_governance_and_lifecycle	7.0.1
emc	rsa_identity_governance_and_lifecycle	7.0.1.1
emc	rsa_identity_governance_and_lifecycle	7.0.1.2
emc	rsa_identity_governance_and_lifecycle	7.0.1.3
emc	rsa_identity_governance_and_lifecycle	7.0.2
emc	rsa_identity_governance_and_lifecycle	7.0.2.1
emc	rsa_identity_management_and_governance	6.9.1
emc	rsa_identity_management_and_governance	6.9.1.1
emc	rsa_identity_management_and_governance	6.9.1.2
emc	rsa_identity_management_and_governance	6.9.1.3
emc	rsa_identity_management_and_governance	6.9.1.4
emc	rsa_identity_management_and_governance	6.9.1.5
emc	rsa_identity_management_and_governance	6.9.1.6
emc	rsa_identity_management_and_governance	6.9.1.7
emc	rsa_identity_management_and_governance	6.9.1.8
emc	rsa_identity_management_and_governance	6.9.1.9
emc	rsa_identity_management_and_governance	6.9.1.10
emc	rsa_identity_management_and_governance	6.9.1.11
emc	rsa_identity_management_and_governance	6.9.1.12
emc	rsa_identity_management_and_governance	6.9.1.13
emc	rsa_identity_management_and_governance	6.9.1.14
emc	rsa_identity_management_and_governance	6.9.1.15
emc	rsa_identity_management_and_governance	6.9.1.16
emc	rsa_identity_management_and_governance	6.9.1.17
emc	rsa_identity_management_and_governance	6.9.1.18
emc	rsa_identity_management_and_governance	6.9.1.19
emc	rsa_identity_management_and_governance	6.9.1.20
emc	rsa_identity_management_and_governance	6.9.1.21
emc	rsa_identity_management_and_governance	6.9.1.22
emc	rsa_identity_management_and_governance	6.9.1.23
emc	rsa_identity_management_and_governance	6.9.1.24
rsa	rsa_via_lifecycle_and_governance	7.0
rsa	rsa_via_lifecycle_and_governance	7.0.0.1
rsa	rsa_via_lifecycle_and_governance	7.0.0.2
rsa	rsa_via_lifecycle_and_governance	7.0.0.3
rsa	rsa_via_lifecycle_and_governance	7.0.0.4
rsa	rsa_via_lifecycle_and_governance	7.0.0.5

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://seclists.org/fulldisclosure/2017/Jul/24

http://www.securityfocus.com/bid/99591

http://www.securitytracker.com/id/1038877

http://seclists.org/fulldisclosure/2017/Jul/24

http://www.securityfocus.com/bid/99591

http://www.securitytracker.com/id/1038877