Overview
- Description
- Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.
- Source
- cve@rapid7.com
- NVD status
- Modified
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Severity
- MEDIUM
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rapid7:insightvm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8445EB28-3D0F-44C4-A6E8-D79FC0C12AA6",
"versionEndExcluding": "6.6.172"
},
{
"criteria": "cpe:2.3:a:rapid7:nexpose:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "17F4869F-E078-44DD-AF60-7D1791240783",
"versionEndExcluding": "6.6.172"
}
],
"operator": "OR"
}
]
}
]