CVE-2023-1304 – Rapid7 InsightCloudSec getattr() method access
https://notcve.org/view.php?id=CVE-2023-1304
An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec. • https://docs.divvycloud.com/changelog/23321-release-notes https://nephosec.com/exploiting-rapid7s-insightcloudsec • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-0681 – Rapid7 Nexpose Uncontrolled URL Redirect
https://notcve.org/view.php?id=CVE-2023-0681
Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. This issue was resolved in the February, 2023 release of version 6.6.179. • https://docs.rapid7.com/release-notes/nexpose/20230208 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2023-0599 – Rapid7 Metasploit Pro Stored XSS
https://notcve.org/view.php?id=CVE-2023-0599
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator. • https://docs.rapid7.com/release-notes/metasploit/20230130 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-3913 – Rapid7 Nexpose Certificate Validation Issue
https://notcve.org/view.php?id=CVE-2022-3913
Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either spoof the update server's FQDN or redirect legitimate traffic to the attacker's server in order to exploit this vulnerability. Note that even in this scenario, an attacker could not normally replace an update package with a malicious package, since the update process validates a separate, code-signing certificate, distinct from the HTTPS certificate used for communication. This issue was resolved on February 1, 2023 in update 6.6.178 of Nexpose and InsightVM. • https://docs.rapid7.com/release-notes/nexpose/20230201 https://www.rapid7.com/blog/post/2022/12/07/cve-2022-4261-rapid7-nexpose-update-validation-issue-fixed • CWE-295: Improper Certificate Validation •
CVE-2023-0290 – Rapid7 Velociraptor directory traversal in client ID parameter
https://notcve.org/view.php?id=CVE-2023-0290
Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client. Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to "administrator" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the "investigator" role. To exploit this vulnerability, the attacker must already have a Velociraptor user account at least "investigator" level, and be able to authenticate to the GUI and issue an API call to the backend. • https://github.com/Velocidex/velociraptor • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •