PT-2005-3387 · Rapid7 · Metasploit Framework

Published

2005-08-07

Updated

2017-07-11

CVE-2005-2482

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Metasploit Framework versions 2.4 and earlier

Description The issue concerns the StateToOptions function in msfweb, which is part of the Metasploit Framework. When running in defanged mode (with the -D option), this function allows attackers to modify temporary environment variables before the " Defanged" environment option is checked. This occurs during the processing of the Exploit command.

Recommendations For Metasploit Framework versions 2.4 and earlier, consider disabling the StateToOptions function or defanged mode until a fix is available to prevent potential exploitation. Restrict access to the Exploit command to minimize the risk of modification of temporary environment variables.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-2482

Affected Products

Metasploit Framework

PT-2005-3387 · Rapid7 · Metasploit Framework

CVE-2005-2482

Related Identifiers

Affected Products

References · 7