CVE-2019-18573
18.12.2019, 21:15
The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a Session Fixation vulnerability. An authenticated malicious local user could potentially exploit this vulnerability as the session token is exposed as part of the URL. A remote attacker can gain access to victims session and perform arbitrary actions with privileges of the user within the compromised session.Enginsight
| Vendor | Product | Version |
|---|---|---|
| dell | rsa_identity_governance_and_lifecycle | 7.0 |
| dell | rsa_identity_governance_and_lifecycle | 7.0.1 |
| dell | rsa_identity_governance_and_lifecycle | 7.0.2 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.0 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.0:p01 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.0:p02 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.0:p03 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.0:p04 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.0:p05 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.0:p06 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.0:p07 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.0:p08 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.1 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.1:p01 |
| dell | rsa_identity_governance_and_lifecycle | 7.1.1:p02 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-598 - Use of GET Request Method With Sensitive Query StringsThe web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
- CWE-384 - Session FixationAuthenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.