[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] DSA-2018-122: RSA Certificate Manager Path Traversal Vulnerability
From: Dell EMC Product Security Response Center <Security_Alert () emc ! com>
Date: 2018-06-28 16:05:05
Message-ID: 1BF8853173D9704A93EF882F85952A894ECEC4 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
DSA-2018-122: RSA Certificate Manager Path Traversal Vulnerability
Dell EMC Identifier: DSA-2018-122
CVE Identifier: CVE-2018-11051
Severity: High
Severity Rating: CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products:
RSA Certificate Manager Versions 6.9 build 560 through 6.9 build 564
Summary:
RSA Certificate Manager 6.9 contains a fix for a path traversal vulnerability that could \
potentially be exploited by malicious users to compromise the affected system.
Details:
RSA Certificate Manager Versions 6.9 build 560 through 6.9 build 564 contain a path traversal \
vulnerability in the RSA CMP Enroll Server and the RSA REST Enroll Server. A remote \
unauthenticated attacker could potentially exploit this vulnerability by manipulating input \
parameters of the application to gain unauthorized read access to the files stored on the \
server filesystem, with the privileges of the running web application.
For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned \
here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To \
search for a particular CVE, use the database's search utility at \
http://web.nvd.nist.gov/view/vuln/search.
Recommendation:
The following product versions contain resolutions to these issues:
* RSA Certificate Manager version 6.9 build 565 or later
RSA recommends all customers upgrade at the earliest opportunity. Customers should follow \
security best practices to password protect CA and SSL keys, and to encrypt passwords in RSA \
Certificate Manager configuration files using ppencryption tool.
Severity Rating:
For an explanation of Severity Ratings, refer to the Knowledge Base Article, "Security \
Advisories Severity Rating" at \
https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all \
customers take into account both the base score and any relevant temporal and environmental \
scores which may impact the potential severity associated with particular security \
vulnerability.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEazKDH3UU9DEtTDc5dty75+wTzVkFAls1BqwACgkQdty75+wT
zVl14Af+IjCt/iQxnZAegl4OWlwlTAmz/mmZMV+hvecw4wXP6qPy8nfkacGqA1Rh
TN8HzS2k8iuEno1hCDTIWOio7CJsVXL57SkTYu40/HuUpya5bZz2ke/KlJ2SfzPL
KtG546tqNMwFgGqhbMuaPGXlQiiWMI/W4qvFywjf3AymQepI310rCa750JkF2X73
c1OOiIZMikZIfiu63rSxZAKbHEho2OxsPvoO8agmAyKHolIokIP1ksKoGX4lRGuL
4iUmhxjbi1YlTvOZnL5X+J9JXhLtPzj1S/ONwibK0QxUaxFW0p/xmx/TRCKKtBkU
LVKYxj8K24SP36qP573ufSq+afAK7w==
=nxsp
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic