Vulnerabilities > CVE-2019-16374 - Unspecified vulnerability in Pega Platform

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

pega

critical

NVD

Published: 2020-08-13

Updated: 2020-08-19

Summary

Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.

Vulnerable Configurations

Part	Description	Count
Application	Pega Pega Platform 8.1.0 Pega Platform 8.1.1 Pega Platform 8.1.2 Pega Platform 8.1.3 Pega Platform 8.1.4 Pega Platform 8.1.5 Pega Platform 8.1.6 Pega Platform 8.1.7 Pega Platform 8.1.8 Pega Platform 8.1.9 Pega Platform 8.2.0 Pega Platform 8.2.1	12

References

https://gist.github.com/IAG0110/0205823570ba04ec12e656f7f4602877
https://community.pega.com/upgrade