Access Control Bypass in RSA Archer by RSA
CVE-2021-41594

6.5MEDIUM

Key Information:

Vendor: Rsa
Status: Archer
Vendor: CVE Published:; 30 March 2022

Summary

In RSA Archer 6.9.SP1 P3, an access control vulnerability exists that allows an attacker to bypass user permissions. This issue arises when an Administrator restricts certain application functions. An attacker can exploit this by intercepting API requests directed at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. By replacing parameters in the request with empty fields, the attacker gains unauthorized access to restricted functions, potentially compromising sensitive data and operations.

References

https://www.rsa.com/en-us/company/vulnerability-response-...

x_refsource_MISC

https://www.archerirm.community/t5/security-advisories/ar...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 30, 2022
Vulnerability Reserved
Sep 24, 2021