Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-5559

In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel. This issue does not affect Rapid7 Komand version 0.42.0 and later versions.

Published

2018-11-28T19:29:00.243

Last Modified

2024-11-21T04:09:03.857

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 3.4 (LOW)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-212
Type: Primary
CWE-312

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	rapid7	komand	≤ 0.41.0	Yes

References

https://docs.komand.com/docs/release-notes#section-komand-v0-42-0-2018-11-1 Release Notes, Vendor Advisory ([email protected])
https://www.alexanderjaeger.de/cve-2018-5559_my_first_cve/ Exploit, Third Party Advisory ([email protected])
https://docs.komand.com/docs/release-notes#section-komand-v0-42-0-2018-11-1 Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.alexanderjaeger.de/cve-2018-5559_my_first_cve/ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)