Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-7381


In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during a Security Console installation and any arbitrary code executable using the same file name.


Published

2020-09-03T14:15:10.977

Last Modified

2024-11-21T05:37:08.257

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.6

Impact Score

6.4

Weaknesses
  • Type: Secondary
    CWE-94
  • Type: Primary
    CWE-94

Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application rapid7 nexpose < 6.6.40 Yes

References