CVE-2019-5615

Name of the Vulnerable Software and Affected Versions Rapid7 InsightVM versions 6.5.11 through 6.5.49

Description This issue allows users with Site-level permissions to access sensitive files containing encrypted passwords of Security Console Global Administrators and clear-text passwords for backup restoration, along with the password salt. Although valid credentials are needed to access these files, malicious users could still attempt to decrypt the credentials and escalate privileges with additional effort.

Recommendations For Rapid7 InsightVM versions 6.5.11 through 6.5.49, consider restricting access to the sensitive files containing encrypted administrator passwords and clear-text backup passwords to minimize the risk of exploitation. As a temporary workaround, limit the privileges of users with Site-level permissions until a fix is available.