CVE-2019-5631

Published: Aug 19, 2019Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of the product. If exploited, a local user of the system (who must already be authenticated to the operating system) can elevate their privileges with this vulnerability to the privilege level of InsightAppSec (usually, SYSTEM). This issue affects version 2019.06.24 and prior versions of the product.

Affected (1)

Products: Rapid7: Insightappsec

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rapid7 Insightappsec	Up to 2019.06.24

Related CWEs

Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

References (2)

https://help.rapid7.com/insightappsec/release-notes/archive/2019/07/

Source: cve@rapid7.com

Release NotesVendor Advisory

https://help.rapid7.com/insightappsec/release-notes/archive/2019/07/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.