CVE-2020-7350

Name of the Vulnerable Software and Affected Versions Rapid7 Metasploit Framework versions prior to 5.0.85

Description The issue arises from the libnotify plugin accepting untrusted user-supplied data via a remote computer's hostname or service name, leading to an instance of OS Command Injection. An attacker can create a specially-crafted hostname or service name to trigger a command injection on the operator's terminal. This vulnerability cannot be triggered through a normal scan operation and requires the attacker to supply a file that is processed with the db import command.

Recommendations For Rapid7 Metasploit Framework versions prior to 5.0.85, update to version 5.0.85 or later to resolve the issue. As a temporary workaround, consider restricting the use of the libnotify plugin until a patch is available. Avoid using the db import command with untrusted files until the issue is resolved.