Описание
Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.
Ссылки
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- ExploitMitigationVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- ExploitMitigationVendor Advisory
Уязвимые конфигурации
Одно из
EPSS
4.4 Medium
CVSS3
6.5 Medium
CVSS3
Дефекты
Связанные уязвимости
Rapid7 Nexpose versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.
EPSS
4.4 Medium
CVSS3
6.5 Medium
CVSS3