First published: Thu Sep 03 2020(Updated: )
In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during a Security Console installation and any arbitrary code executable using the same file name.
Credit: cve@rapid7.con
Affected Software | Affected Version | How to fix |
---|---|---|
Rapid7 Nexpose | <6.6.40 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-7381 is a vulnerability in Rapid7 Nexpose installer versions prior to 6.6.40.
The severity of CVE-2020-7381 is high (7.8).
CVE-2020-7381 affects Rapid7 Nexpose installer versions prior to 6.6.40.
An attacker with access to the local machine can place an executable in the appropriate directory, which the Nexpose installer will call, potentially leading to security compromise.
Yes, the fix for CVE-2020-7381 is to upgrade to Rapid7 Nexpose version 6.6.40 or later.