CVE Vulnerabilities

CVE-2019-3715

Insertion of Sensitive Information into Log File

Published: Mar 13, 2019 | Modified: Aug 24, 2020
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
2.1 LOW
AV:L/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

RSA Archer versions, prior to 6.5 SP1, contain an information exposure vulnerability. Users session information is logged in plain text in the RSA Archer log files. An authenticated malicious local user with access to the log files may obtain the exposed information to use it in further attacks.

Weakness

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Affected Software

Name Vendor Start Version End Version
Archer_grc_platform Rsa * 6.5 (excluding)
Archer_grc_platform Rsa 6.5 (including) 6.5 (including)

Extended Description

While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for:

Potential Mitigations

References