Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-5638

Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage.

Published

2019-08-21T20:15:13.007

Last Modified

2024-11-21T04:45:17.150

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.7 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-613
Type: Primary
CWE-613

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	rapid7	nexpose	≤ 6.5.50	Yes

References

https://docs.rapid7.com/insightvm/enable-insightvm-platform-login ([email protected])
https://help.rapid7.com/nexpose/en-us/release-notes/archive/2019/02/ Release Notes ([email protected])
https://docs.rapid7.com/insightvm/enable-insightvm-platform-login (af854a3a-2127-422b-91ae-364da2661108)
https://help.rapid7.com/nexpose/en-us/release-notes/archive/2019/02/ Release Notes (af854a3a-2127-422b-91ae-364da2661108)