CVE-2022-4261

CVSS V2 None CVSS V3 None
Description
Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.
Overview
  • CVE ID
  • CVE-2022-4261
  • Assigner
  • cve@rapid7.con
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-08T00:15:10
  • Last Modified Date
  • 2022-12-12T17:09:00
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:rapid7:insightvm:*:*:*:*:*:*:*:* 1 OR 6.6.172
cpe:2.3:a:rapid7:nexpose:*:*:*:*:*:*:*:* 1 OR 6.6.172
History
Created Old Value New Value Data Type Notes
2022-12-08 01:04:21 Added to TrackCVE
2022-12-08 04:38:28 2022-12-08T00:15:10.533 2022-12-08T00:15:10 CVE Published Date updated
2022-12-08 04:38:28 2022-12-08T04:33:59 CVE Modified Date updated
2022-12-08 04:38:28 Received Awaiting Analysis Vulnerability Status updated
2022-12-08 17:16:11 2022-12-08T15:15:09 CVE Modified Date updated
2022-12-08 17:16:11 Rapid7 Nexpose versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself. Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself. Description updated
2022-12-08 17:16:12 References updated
2022-12-09 16:15:51 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2022-12-12 17:15:03 2022-12-12T17:09:00 CVE Modified Date updated
2022-12-12 17:15:03 Undergoing Analysis Analyzed Vulnerability Status updated
2022-12-12 17:15:03 CWE-494 Weakness Enumeration new
2022-12-12 17:15:04 CPE Information updated