CVE-2024-8042

Name of the Vulnerable Software and Affected Versions: Rapid7 Insight Platform versions between November 2019 and August 14, 2024

Description: The issue is related to missing authorization in the Rapid7 Insight Platform, allowing an attacker to intercept local requests and potentially add an empty user group to the incorrect customer. This could be achieved by exploiting the lack of proper authorization when setting the name and description of a new user group.

Recommendations: For Rapid7 Insight Platform versions between November 2019 and August 14, 2024, update to a version released after August 14, 2024, to resolve the issue. As a temporary workaround, consider restricting access to user group management features until the update is applied.