Main Vulnerability Database Vulnerabilities #VU35112

Incorrect permission assignment for critical resource in Metasploit - CVE-2019-5642

Published: November 6, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU35112

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-5642

CWE-ID: CWE-732

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Rapid7

Affected software:
Metasploit

Detailed vulnerability description

The vulnerability allows a local authenticated user to gain access to sensitive information.

Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.

How to mitigate CVE-2019-5642

Install update from vendor's website.

Sources

https://help.rapid7.com/metasploit/release-notes/?rid=4.16.0-2019091001

Incorrect permission assignment for critical resource in Metasploit - CVE-2019-5642

Detailed vulnerability description

How to mitigate CVE-2019-5642

Sources

Please verify you're human