CVE-2019-18355: 
Thycotic Secret Server vulnerability analysis and mitigation

An SSRF (Server-Side Request Forgery) vulnerability was discovered in the legacy Web launcher component of Thycotic Secret Server versions prior to 10.7. This vulnerability was assigned identifier CVE-2019-18355 and was disclosed on October 23, 2019 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-918 (Server-Side Request Forgery). This indicates that the vulnerability is network-exploitable, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The SSRF vulnerability could allow remote attackers to make unauthorized server-side requests through the affected component. Given the CVSS score of 9.8, this vulnerability could potentially lead to complete compromise of system confidentiality, integrity, and availability (NVD).

Users should upgrade to Thycotic Secret Server version 10.7 or later to address this vulnerability. The fix was included in the 10.7.000000 release (Release Notes).