First published: Thu Sep 12 2019(Updated: )
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
Credit: cve@rapid7.con
Affected Software | Affected Version | How to fix |
---|---|---|
Rapid7 Metasploit | <4.16.0 | |
Rapid7 Metasploit | =4.16.0 | |
Rapid7 Metasploit | =4.16.0-20190722 | |
Rapid7 Metasploit | =4.16.0-20190805 | |
Rapid7 Metasploit | =4.16.0-2019081901 |
This issue is resolved in Metasploit Pro version 4.16.0-2019091001
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for Rapid7 Metasploit Pro is CVE-2019-5642.
The severity of CVE-2019-5642 is low, with a severity value of 3.3.
The CWE for CVE-2019-5642 is CWE-732.
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior are affected.
The vulnerability in Rapid7 Metasploit Pro allows other users of the same system to intercept sensitive information due to world-readable permissions on the server.key file.