CVE-2019-3711 - OpenCVE

RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Emc	Rsa Authentication Manager
Rsa	Authentication Manager

Configuration 1 [-]

OR	cpe:2.3:a:emc:rsa_authentication_manager:8.4:-::::::
	cpe:2.3:a:rsa:authentication_manager::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/107210
https://seclists.org/fulldisclosure/2019/Mar/5

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2019-03-13T22:00:00Z

Updated: 2024-09-16T20:17:34.908Z

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3711

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-03-13T21:29:00.353

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-3711

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "RSA Authentication Manager", "vendor": "Dell", "versions": [{"lessThan": "P1", "status": "affected", "version": "8.4", "versionType": "custom"}]}], "datePublic": "2019-02-28T00:00:00", "descriptions": [{"lang": "en", "value": "RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "insecure credential management", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-03-14T09:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"name": "20190228 DSA-2019-038: RSA Authentication Manager Insecure Credential Management Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "https://seclists.org/fulldisclosure/2019/Mar/5"}, {"name": "107210", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/107210"}], "source": {"discovery": "UNKNOWN"}, "title": "DSA-2019-038: RSA\u00ae Authentication Manager Insecure Credential Management Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2019-02-28T05:00:00.000Z", "ID": "CVE-2019-3711", "STATE": "PUBLIC", "TITLE": "DSA-2019-038: RSA\u00ae Authentication Manager Insecure Credential Management Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RSA Authentication Manager", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "8.4", "version_value": "P1"}]}}]}, "vendor_name": "Dell"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "insecure credential management"}]}]}, "references": {"reference_data": [{"name": "20190228 DSA-2019-038: RSA Authentication Manager Insecure Credential Management Vulnerability", "refsource": "FULLDISC", "url": "https://seclists.org/fulldisclosure/2019/Mar/5"}, {"name": "107210", "refsource": "BID", "url": "http://www.securityfocus.com/bid/107210"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:19:17.488Z"}, "title": "CVE Program Container", "references": [{"name": "20190228 DSA-2019-038: RSA Authentication Manager Insecure Credential Management Vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "https://seclists.org/fulldisclosure/2019/Mar/5"}, {"name": "107210", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/107210"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2019-3711", "datePublished": "2019-03-13T22:00:00Z", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-09-16T20:17:34.908Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emc:rsa_authentication_manager:8.4:-:*:*:*:*:*:*", "matchCriteriaId": "EF61F8BF-7483-4A81-9219-EE2465D48182", "vulnerable": true}, {"criteria": "cpe:2.3:a:rsa:authentication_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "1CD5FF51-B834-4181-B635-BCF6CF616CCD", "versionEndExcluding": "8.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks."}, {"lang": "es", "value": "RSA Authentication Manager, en CVErsiones anteriores a la 8.4 P1, contiene una vulnerabilidad de gesti\u00f3n insegura de credenciales. Un administrador malicioso de la consola de operaciones podr\u00eda ser capaz de obtener el valor de una contrase\u00f1a de dominio que hab\u00eda sido establecida por otro administrador de la consola de operaciones y emplearla para ataques."}], "id": "CVE-2019-3711", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.3, "impactScore": 4.0, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2019-03-13T21:29:00.353", "references": [{"source": "security_alert@emc.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107210"}, {"source": "security_alert@emc.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2019/Mar/5"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}