Vulnerability Details : CVE-2018-11049
RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user to run malicious code on the targeted system.
Products affected by CVE-2018-11049
- cpe:2.3:a:rsa:rsa_via_lifecycle_and_governance:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:emc:rsa_identity_management_and_governance:6.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:emc:rsa_identity_management_and_governance:6.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:emc:rsa_identity_governance_and_lifecycle:7.1.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11049
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11049
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST | |
|
7.3
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
1.3
|
5.9
|
NIST |
CWE ids for CVE-2018-11049
-
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11049
-
http://seclists.org/fulldisclosure/2018/Jul/23
Full Disclosure: DSA-2018-117 RSA Identity Governance and Lifecycle Uncontrolled Search Path VulnerabilityMailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/104722
RSA Identity Governance and Lifecycle CVE-2018-11049 Local Untrusted Search Path vulnerabilityThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1041228
RSA Identity Management and Governance Uncontrolled Search Path Lets Local Users Gain Elevated Privileges - SecurityTrackerThird Party Advisory;VDB Entry
Jump to