CVE-2022-4261
CVSS V2 None
CVSS V3 None
Description
Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.
Overview
- CVE ID
- CVE-2022-4261
- Assigner
- cve@rapid7.con
- Vulnerability Status
- Analyzed
- Published Version
- 2022-12-08T00:15:10
- Last Modified Date
- 2022-12-12T17:09:00
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:rapid7:insightvm:*:*:*:*:*:*:*:* | 1 | OR | 6.6.172 | |
cpe:2.3:a:rapid7:nexpose:*:*:*:*:*:*:*:* | 1 | OR | 6.6.172 |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-4261 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4261 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-12-08 01:04:21 | Added to TrackCVE | |||
2022-12-08 04:38:28 | 2022-12-08T00:15:10.533 | 2022-12-08T00:15:10 | CVE Published Date | updated |
2022-12-08 04:38:28 | 2022-12-08T04:33:59 | CVE Modified Date | updated | |
2022-12-08 04:38:28 | Received | Awaiting Analysis | Vulnerability Status | updated |
2022-12-08 17:16:11 | 2022-12-08T15:15:09 | CVE Modified Date | updated | |
2022-12-08 17:16:11 | Rapid7 Nexpose versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself. | Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself. | Description | updated |
2022-12-08 17:16:12 | References | updated | ||
2022-12-09 16:15:51 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |
2022-12-12 17:15:03 | 2022-12-12T17:09:00 | CVE Modified Date | updated | |
2022-12-12 17:15:03 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
2022-12-12 17:15:03 | CWE-494 | Weakness Enumeration | new | |
2022-12-12 17:15:04 | CPE Information | updated |