CVE-2019-5642

Published: Nov 6, 2019Modified: Nov 21, 2024

3.3

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 1.8 / Impact: 1.4

Source: NVD

Description

Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.

Affected (5)

Products: Rapid7: Metasploit

Rapid7

1 product

Metasploit

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Rapid7 Metasploit	Before 4.16.0
Rapid7 Metasploit	Version 4.16.0
Rapid7 Metasploit	Version 4.16.0 20190722
Rapid7 Metasploit	Version 4.16.0 20190805
Rapid7 Metasploit	Version 4.16.0 2019081901

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (2)

https://help.rapid7.com/metasploit/release-notes/?rid=4.16.0-2019091001

Source: cve@rapid7.com

Release NotesVendor Advisory

https://help.rapid7.com/metasploit/release-notes/?rid=4.16.0-2019091001

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.