000033247 - RSA Via Lifecycle & Governance Information Defined in User Detail Popups

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033247
Applies ToRSA Product Set:  RSA Via Lifecycle & Governance
RSA Product/Service Type:  Identity Management and Governance
RSA Version/Condition: 6.8.1 P01 - P24, 6.9.1 P01 - P14, 7.0.0 P01 - P03
IssueDue to a potential security vulnerability in RSA Via Lifecycle & Governance (RSA Via L&G) the product now restricts how much information about a user is displayed in the Edit Attributes pop-up screen..  If a user that is privileged to see the user opens the Edit Attributes pop-up screen, all attributes are displayed.  For non-privileged users, only the user’s name, title, business unit and availability status are shown.
Prior to this change, non-privileged users could access this view allowing them to view all the details for users they were not authorized to view.
CauseLack of security checks when display the user dialog.
ResolutionThe following RSA Via Lifecycle and Governance releases contain resolutions to these vulnerabilities:
  • RSA Identity Management and Governance 6.8.1 P25
  • RSA Identity Management and Governance 6.9.1 P15, and
  • RSA Via Lifecycle and Governance 7.0.0 P04
WorkaroundThere is no work around for this issue.  Please patch to the listed versions.

Attachments

    Outcomes