CVE-2019-3758

RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://community.rsa.com/docs/DOC-106759	Vendor Advisory
https://community.rsa.com/docs/DOC-106759	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rsa:archer:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:42

Type	Values Removed	Values Added
References	~~() https://community.rsa.com/docs/DOC-106759 - Vendor Advisory~~	() https://community.rsa.com/docs/DOC-106759 - Vendor Advisory

Information

Published : 2019-09-18 23:15

Updated : 2024-11-21 04:42

NVD link : CVE-2019-3758

Mitre link : CVE-2019-3758

CVE.ORG link : CVE-2019-3758

JSON object : View

Products Affected

rsa

archer

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-521

Weak Password Requirements

{"id": "CVE-2019-3758", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-09-18T23:15:11.313", "references": [{"url": "https://community.rsa.com/docs/DOC-106759", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}, {"url": "https://community.rsa.com/docs/DOC-106759", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-288"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-521"}]}], "descriptions": [{"lang": "en", "value": "RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts."}, {"lang": "es", "value": "RSA Archer, versiones anteriores a 6.6 P2 (6.6.0.2), contienen una vulnerabilidad de autenticaci\u00f3n inapropiada. La vulnerabilidad permite a los administradores de sistema crear cuentas de usuario con credenciales insuficientes. Los atacantes no autenticados podr\u00edan conseguir acceso no autorizado al sistema usando esas cuentas."}], "lastModified": "2024-11-21T04:42:28.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rsa:archer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF4732A9-F080-40EF-ABA7-CCA6973CCC51", "versionEndExcluding": "6.6.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}