cnvd - cnvd-2018-17690

cnvd-2018-17690

Vulnerability from cnvd

Title: Dell RSA Identity Governance and Lifecycle、RSA Via Lifecycle and Governance和RSA IMG本地不可信搜索路径漏洞

Description:

Dell RSA Identity Governance and Lifecycle、RSA Via Lifecycle and Governance和RSA IMG都是美国戴尔（Dell）公司的产品。Dell RSA Identity Governance and Lifecycle是一套生命周期管理解决方案；RSA Via Lifecycle and Governance是一套企业级身份识别和管理解决方案；RSA IMG是一套生命周期管理和身份识别解决方案。

Dell RSA Identity Governance and Lifecycle、RSA Via Lifecycle and Governance和RSA IMG中存在安全漏洞。攻击者可利用该漏洞诱使root用户在目标系统上执行恶意代码。

Severity: 高

Patch Name: Dell RSA Identity Governance and Lifecycle、RSA Via Lifecycle and Governance和RSA IMG本地不可信搜索路径漏洞的补丁

Patch Description:

Dell RSA Identity Governance and Lifecycle、RSA Via Lifecycle and Governance和RSA IMG中存在安全漏洞。攻击者可利用该漏洞诱使root用户在目标系统上执行恶意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可联系供应商获得补丁信息： https://www.dell.com/

Reference: http://seclists.org/fulldisclosure/2018/Jul/23

Impacted products

Name
['Dell EMC RSA Identity Governance and Lifecycle 7.1', 'Dell EMC RSA Identity Governance and Lifecycle 7.0.2 P01', 'Dell EMC RSA Identity Governance and Lifecycle 7.0.2', 'Dell EMC RSA Identity Governance and Lifecycle 7.0.1', 'Dell EMC RSA Identity Governance and Lifecycle 6.9.1', 'Dell EMC RSA Identity Governance and Lifecycle 6.9', 'Dell EMC RSA Identity Governance and Lifecycle 7.0.1 P03']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "104722"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-11049"
    }
  },
  "description": "Dell RSA Identity Governance and Lifecycle\u3001RSA Via Lifecycle and Governance\u548cRSA IMG\u90fd\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Dell RSA Identity Governance and Lifecycle\u662f\u4e00\u5957\u751f\u547d\u5468\u671f\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff1bRSA Via Lifecycle and Governance\u662f\u4e00\u5957\u4f01\u4e1a\u7ea7\u8eab\u4efd\u8bc6\u522b\u548c\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff1bRSA IMG\u662f\u4e00\u5957\u751f\u547d\u5468\u671f\u7ba1\u7406\u548c\u8eab\u4efd\u8bc6\u522b\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nDell RSA Identity Governance and Lifecycle\u3001RSA Via Lifecycle and Governance\u548cRSA IMG\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bf1\u4f7froot\u7528\u6237\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002",
  "discovererName": "Dell",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://www.dell.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-17690",
  "openTime": "2018-09-06",
  "patchDescription": "Dell RSA Identity Governance and Lifecycle\u3001RSA Via Lifecycle and Governance\u548cRSA IMG\u90fd\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Dell RSA Identity Governance and Lifecycle\u662f\u4e00\u5957\u751f\u547d\u5468\u671f\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff1bRSA Via Lifecycle and Governance\u662f\u4e00\u5957\u4f01\u4e1a\u7ea7\u8eab\u4efd\u8bc6\u522b\u548c\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\uff1bRSA IMG\u662f\u4e00\u5957\u751f\u547d\u5468\u671f\u7ba1\u7406\u548c\u8eab\u4efd\u8bc6\u522b\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nDell RSA Identity Governance and Lifecycle\u3001RSA Via Lifecycle and Governance\u548cRSA IMG\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bf1\u4f7froot\u7528\u6237\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell RSA Identity Governance and Lifecycle\u3001RSA Via Lifecycle and Governance\u548cRSA IMG\u672c\u5730\u4e0d\u53ef\u4fe1\u641c\u7d22\u8def\u5f84\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Dell EMC RSA Identity Governance and Lifecycle 7.1",
      "Dell EMC RSA Identity Governance and Lifecycle 7.0.2 P01",
      "Dell EMC RSA Identity Governance and Lifecycle 7.0.2",
      "Dell EMC RSA Identity Governance and Lifecycle 7.0.1",
      "Dell EMC RSA Identity Governance and Lifecycle 6.9.1",
      "Dell EMC RSA Identity Governance and Lifecycle 6.9",
      "Dell EMC RSA Identity Governance and Lifecycle 7.0.1 P03"
    ]
  },
  "referenceLink": "http://seclists.org/fulldisclosure/2018/Jul/23",
  "serverity": "\u9ad8",
  "submitTime": "2018-07-13",
  "title": "Dell RSA Identity Governance and Lifecycle\u3001RSA Via Lifecycle and Governance\u548cRSA IMG\u672c\u5730\u4e0d\u53ef\u4fe1\u641c\u7d22\u8def\u5f84\u6f0f\u6d1e"
}

CVE-2018-11049 (GCVE-0-2018-11049)

Vulnerability from cvelistv5

Published

2018-07-11 20:00

Modified

2024-09-17 04:20

Severity ?

CWE

uncontrolled search path vulnerability

Summary

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user to run malicious code on the targeted system.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/104722	vdb-entry, x_refsource_BID
	http://seclists.org/fulldisclosure/2018/Jul/23	mailing-list, x_refsource_FULLDISC
	http://www.securitytracker.com/id/1041228	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	Pivotal	Pivotal Operations Manager	Version: RSA(r) Identity Governance and Lifecycle version 7.1.0, all patch levels (Hardware Appliance, Software Bundle, and Virtual Application deployments only) Version: RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels (Hardware Appliance and Software Bundle (also known as Soft-Appliance) deployments only). Version: RSA Via Lifecycle and Governance version 7.0, all patch levels (Hardware Appliance and Software Bundle (also known as Soft-Appliance) deployments only) Version: RSA Identity Management & Governance (RSA IMG) versions 6.9.0, 6.9.1, all patch levels (Hardware Appliance and Software Bundle (also known as Soft-Appliance) deployments only)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:54:36.550Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "104722",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104722"
          },
          {
            "name": "20180705 DSA-2018-117 RSA Identity Governance and Lifecycle Uncontrolled Search Path Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2018/Jul/23"
          },
          {
            "name": "1041228",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041228"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pivotal Operations Manager",
          "vendor": "Pivotal",
          "versions": [
            {
              "status": "affected",
              "version": "RSA(r) Identity Governance and Lifecycle version 7.1.0, all patch levels (Hardware Appliance, Software Bundle, and  Virtual Application deployments only)"
            },
            {
              "status": "affected",
              "version": "RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels  (Hardware Appliance and Software Bundle (also known as Soft-Appliance) deployments only)."
            },
            {
              "status": "affected",
              "version": "RSA Via Lifecycle and Governance version 7.0, all patch levels (Hardware Appliance and Software Bundle (also known as  Soft-Appliance) deployments only)"
            },
            {
              "status": "affected",
              "version": "RSA Identity Management \u0026 Governance (RSA IMG) versions 6.9.0, 6.9.1, all patch levels (Hardware Appliance and Software  Bundle (also known as Soft-Appliance)  deployments only)"
            }
          ]
        }
      ],
      "datePublic": "2018-07-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user to run malicious code on the targeted system."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "uncontrolled search path vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-13T09:57:01",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "104722",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104722"
        },
        {
          "name": "20180705 DSA-2018-117 RSA Identity Governance and Lifecycle Uncontrolled Search Path Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2018/Jul/23"
        },
        {
          "name": "1041228",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041228"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "RSA Identity Governance and Lifecycle Uncontrolled Search Path Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "DATE_PUBLIC": "2018-07-06T04:00:00.000Z",
          "ID": "CVE-2018-11049",
          "STATE": "PUBLIC",
          "TITLE": "RSA Identity Governance and Lifecycle Uncontrolled Search Path Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Pivotal Operations Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "RSA(r) Identity Governance and Lifecycle version 7.1.0, all patch levels (Hardware Appliance, Software Bundle, and  Virtual Application deployments only)"
                          },
                          {
                            "version_value": "RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels  (Hardware Appliance and Software Bundle (also known as Soft-Appliance) deployments only)."
                          },
                          {
                            "version_value": "RSA Via Lifecycle and Governance version 7.0, all patch levels (Hardware Appliance and Software Bundle (also known as  Soft-Appliance) deployments only)"
                          },
                          {
                            "version_value": "RSA Identity Management \u0026 Governance (RSA IMG) versions 6.9.0, 6.9.1, all patch levels (Hardware Appliance and Software  Bundle (also known as Soft-Appliance)  deployments only)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Pivotal"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG releases have an uncontrolled search vulnerability. The installation scripts set an environment variable in an unintended manner. A local authenticated malicious user could trick the root user to run malicious code on the targeted system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "uncontrolled search path vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "104722",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104722"
            },
            {
              "name": "20180705 DSA-2018-117 RSA Identity Governance and Lifecycle Uncontrolled Search Path Vulnerability",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2018/Jul/23"
            },
            {
              "name": "1041228",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041228"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2018-11049",
    "datePublished": "2018-07-11T20:00:00Z",
    "dateReserved": "2018-05-14T00:00:00",
    "dateUpdated": "2024-09-17T04:20:09.305Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted