CVE-2019-5642

Опубликовано: 06 нояб. 2019

Источник: nvd

CVSS3: 3.3

CVSS2: 2.1

EPSS Низкий

Описание

Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.

Ссылки

https://help.rapid7.com/metasploit/release-notes/?rid=4.16.0-2019091001
Release Notes
Vendor Advisory
https://help.rapid7.com/metasploit/release-notes/?rid=4.16.0-2019091001
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:rapid7:metasploit:*:*:*:*:pro:*:*:*

Версия до 4.16.0 (исключая)

cpe:2.3:a:rapid7:metasploit:4.16.0:-:*:*:pro:*:*:*

cpe:2.3:a:rapid7:metasploit:4.16.0:20190722:*:*:pro:*:*:*

cpe:2.3:a:rapid7:metasploit:4.16.0:20190805:*:*:pro:*:*:*

cpe:2.3:a:rapid7:metasploit:4.16.0:2019081901:*:*:pro:*:*:*

EPSS

Процентиль: 27%

0.00095

Низкий

3.3 Low

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-732

Связанные уязвимости

GHSA-g8mp-gm84-qx6x

github

больше 3 лет назад