CVE-2019-5638

Published: Aug 21, 2019Modified: Nov 21, 2024

8.7

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Exploitability: 2.3 / Impact: 5.8

Source: cve@rapid7.com (Secondary)

Description

Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage.

Affected (1)

Products: Rapid7: Nexpose

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rapid7 Nexpose	Up to 6.5.50

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (4)

https://docs.rapid7.com/insightvm/enable-insightvm-platform-login

Source: cve@rapid7.com

https://help.rapid7.com/nexpose/en-us/release-notes/archive/2019/02/

Source: cve@rapid7.com

Release Notes

https://docs.rapid7.com/insightvm/enable-insightvm-platform-login

Source: af854a3a-2127-422b-91ae-364da2661108

https://help.rapid7.com/nexpose/en-us/release-notes/archive/2019/02/

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

Timeline

No history available yet.