Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-5642 |
CWE-ID | CWE-732 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software Subscribe |
Metasploit Client/Desktop applications / Other client software |
Vendor | Rapid7 |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU35112
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5642
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
MitigationInstall update from vendor's website.
Vulnerable software versionsMetasploit: 4.2.0 - 4.15.8
External linkshttp://help.rapid7.com/metasploit/release-notes/?rid=4.16.0-2019091001
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.