CVE-2019-3759

CVSS 6.4 MEDIUMEPSS 3.2%CWE-94

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 6.4EPSS 3.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

11 Sep 2019Published on NVD

06 Jul 2020Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Affected products

Dell · RSA Identity Governance and Lifecycle Dell · RSA Via Lifecycle and Governance

public PoCs found — 2

cve_referencepacketstormsecurity.com/files/158324/RSA-IG-L-Aveksa-7.1.1-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/48639unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/158324/RSA-IG-L-Aveksa-7.1.1-Remote-Code-Execution.html https://community.rsa.com/docs/DOC-106943