First published: Tue Sep 01 2020(Updated: )
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a resource exhaustion on the Metasploit server.
Credit: cve@rapid7.con
Affected Software | Affected Version | How to fix |
---|---|---|
Rapid7 Metasploit | <=5.0.27 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-5645 is a vulnerability where an attacker can register an arbitrary regular expression and cause resource exhaustion on the Rapid7 Metasploit HTTP handler.
CVE-2019-5645 can either prevent new HTTP handler sessions from being established or cause resource exhaustion on the Metasploit HTTP handler.
CVE-2019-5645 has a severity rating of 7.5 (High).
To fix CVE-2019-5645, it is recommended to update Rapid7 Metasploit to version 5.0.27 or later.
More information about CVE-2019-5645 can be found at the following link: [https://github.com/rapid7/metasploit-framework/pull/12433]