CVE-2022-3913

Name of the Vulnerable Software and Affected Versions Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177

Description The issue arises from the failure to validate the certificate of the update server when downloading updates. This could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint or intercept communications to the legitimate endpoint. The attacker would need pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either spoof the update server's FQDN or redirect legitimate traffic to the attacker's server. Note that even in this scenario, an attacker could not normally replace an update package with a malicious package, since the update process validates a separate, code-signing certificate.

Recommendations For Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177, update to version 6.6.178 or later to resolve the issue. As a temporary workaround, consider restricting access to the update server or implementing additional network security measures to minimize the risk of exploitation.