CVE-2020-7358: Code Injection in Rapid7 AppSpider Pro Installer
First published: Fri Sep 18 2020(Updated: )
In AppSpider installer versions prior to 7.2.126, the AppSpider installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during an installation and any arbitrary code executable using the same file name.
Credit: cve@rapid7.con
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rapid7 Appspider | <7.2.126 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2020-7358?
CVE-2020-7358 is a vulnerability in AppSpider installer versions prior to 7.2.126.
How severe is CVE-2020-7358?
CVE-2020-7358 has a severity rating of 6.5 out of 10 (medium).
How can an attacker exploit CVE-2020-7358?
An attacker with access to the local machine can place a malicious executable in the appropriate directory, which the AppSpider installer will call during installation.
Which version of AppSpider is affected by CVE-2020-7358?
AppSpider installer versions prior to 7.2.126 are affected by CVE-2020-7358.
How do I fix CVE-2020-7358?
Upgrade to AppSpider installer version 7.2.126 or later to fix CVE-2020-7358.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/title
- agent/author
- agent/weakness
- agent/references
- agent/event
- agent/tags
- agent/description
- agent/first-publish-date
- vendor/rapid7
- canonical/rapid7 appspider