PT-2019-17797 · Rapid7 · Metasploit Pro

Published

2019-11-06

Updated

2019-11-13

CVE-2019-5642

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Rapid7 Metasploit Pro versions prior to 4.16.0-2019081901

Description The issue allows other users of the same system where Metasploit Pro is installed to intercept private communications to the Metasploit Pro web interface. This occurs because the unique server.key is written to the file system during installation with world-readable permissions.

Recommendations For Rapid7 Metasploit Pro versions prior to 4.16.0-2019081901, consider restricting access to the server.key file to prevent other users from reading it, until a newer version with proper permissions is available.

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

CVE-2019-5642

Affected Products

Metasploit Pro

PT-2019-17797 · Rapid7 · Metasploit Pro

CVE-2019-5642

Weakness Enumeration

Related Identifiers

Affected Products

References · 3