CVE-2022-4261

Name of the Vulnerable Software and Affected Versions Rapid7 Nexpose and InsightVM versions prior to 6.6.172

Description The issue is related to the failure of Rapid7 Nexpose and InsightVM to reliably validate the authenticity of update contents. This could allow an attacker to provide a malicious update, altering the functionality of Rapid7 Nexpose. The attacker would need a pre-existing mechanism to provide a malicious update, such as through social engineering, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.

Recommendations For versions prior to 6.6.172, update to version 6.6.172 or later to resolve the issue. As a temporary workaround, consider restricting access to the update service to minimize the risk of exploitation. Avoid using unverified update sources until the issue is resolved.