Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-7382

Rapid7 Nexpose installer version prior to 6.6.40 contains an Unquoted Search Path which may allow an attacker on the local machine to insert an arbitrary file into the executable path. This issue affects: Rapid7 Nexpose versions prior to 6.6.40.

Published

2020-09-03T14:15:11.103

Last Modified

2024-11-21T05:37:08.370

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.8 (MEDIUM)

CVSSv2 Vector

AV:L/AC:M/Au:N/C:P/I:P/A:P

Access Vector: LOCAL
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

3.4

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-428
Type: Primary
CWE-428

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	rapid7	nexpose	< 6.6.40	Yes

References

https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.40 Release Notes, Vendor Advisory ([email protected])
https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.40 Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)