First published: Tue Mar 29 2022(Updated: )
In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. If the parameters of this request are replaced with empty fields, the attacker achieves access to the precluded functions.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
RSA Archer | >=6.1.0.0<6.9.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this RSA Archer vulnerability is CVE-2021-41594.
The severity level of CVE-2021-41594 is medium with a score of 6.5.
The affected software for CVE-2021-41594 is RSA Archer 6.9.SP1 P3.
An attacker can bypass the preclusion of application functions in RSA Archer 6.9.SP1 P3 by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint and replacing the parameters with empty fields.
You can find more information about this vulnerability at the following references: [Link 1](https://www.archerirm.community/t5/security-advisories/archer-an-rsa-business-update-for-multiple-vulnerabilities/ta-p/674497), [Link 2](https://www.rsa.com/en-us/company/vulnerability-response-policy)