RSA Archer up to 6.7 P2 Cache/Log File get request method with sensitive query strings
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.8 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic was found in RSA Archer up to 6.7 P2. This affects an unknown part of the component Cache/Log File. The manipulation results in use of get request method with sensitive query strings. This vulnerability was named CVE-2020-5331. The attack needs to be approached locally. There is no available exploit. Applying a patch is advised to resolve this issue.
Details
A vulnerability classified as problematic has been found in RSA Archer up to 6.7 P2 (Risk Management System). Affected is an unknown function of the component Cache/Log File. The manipulation with an unknown input leads to a use of get request method with sensitive query strings vulnerability. CWE is classifying the issue as CWE-598. The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. This is going to have an impact on confidentiality. CVE summarizes:
RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an information exposure vulnerability. Users’ session information could potentially be stored in cache or log files. An authenticated malicious local user with access to the log files may obtain the exposed information to use it in further attacks.
The weakness was presented 05/04/2020. This vulnerability is traded as CVE-2020-5331 since 01/03/2020. The attack needs to be approached locally. The successful exploitation requires a authentication. There are neither technical details nor an exploit publicly available.
Applying the patch 6.7 P3 is able to eliminate this problem.
See VDB-154732, VDB-154731, VDB-154730 and VDB-154729 for similar entries. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.rsa.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.1VulDB Meta Temp Score: 6.0
VulDB Base Score: 3.3
VulDB Temp Score: 3.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Use of get request method with sensitive query stringsCWE: CWE-598
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: 6.7 P3
Timeline
01/03/2020 🔍05/04/2020 🔍
05/05/2020 🔍
10/15/2020 🔍
Sources
Vendor: rsa.comStatus: Not defined
CVE: CVE-2020-5331 (🔍)
GCVE (CVE): GCVE-0-2020-5331
GCVE (VulDB): GCVE-100-154728
See also: 🔍
Entry
Created: 05/05/2020 09:26Updated: 10/15/2020 10:03
Changes: 05/05/2020 09:26 (38), 05/05/2020 09:31 (12), 10/15/2020 10:03 (1)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.