CVE-2022-0237 – Rapid7 Insight Agent Privilege Escalation
https://notcve.org/view.php?id=CVE-2022-0237
Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. This issue was fixed in Rapid7 Insight Agent version 3.1.3.80. Rapid7 Insight Agent versiones 3.1.2.38 y anteriores, sufren una vulnerabilidad de escalada de privilegios, por la que un atacante puede secuestrar el flujo de ejecución debido a un argumento no citado en el comando runas.exe usado por el componente ir_agent.exe, resultando en derechos elevados y a un acceso persistente a la máquina. Este problema es corregido en Rapid7 Insight Agent versión 3.1.3.80 • https://docs.rapid7.com/release-notes/insightagent/20220225 https://gist.github.com/n2dez/05d43c616f2b403e84ee55d4d7aab251 • CWE-264: Permissions, Privileges, and Access Controls CWE-428: Unquoted Search Path or Element •
CVE-2021-4016 – Rapid7 Insight Agent Improper Access Control
https://notcve.org/view.php?id=CVE-2021-4016
Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. An attacker can access, read and copy any of the files in this directory e.g. asset_info.json or file_info.json, leading to a loss of confidentiality. This issue was fixed in Rapid7 Insight Agent 3.1.3. Rapid7 Insight Agent, versiones anteriores a la 3.1.3, sufren una vulnerabilidad de control de acceso inapropiada por la cual, el usuario presenta acceso al directorio de instantáneas. Un atacante puede acceder, leer y copiar cualquiera de los archivos de este directorio, por ejemplo, asset_info.json o file_info.json, conllevando a una pérdida de confidencialidad. • https://docs.rapid7.com/release-notes/insightagent/20220119 • CWE-284: Improper Access Control •
CVE-2021-4007 – Rapid7 Insight Agent Privilege Escalation
https://notcve.org/view.php?id=CVE-2021-4007
Rapid7 Insight Agent, versions 3.0.1 to 3.1.2.34, suffer from a local privilege escalation due to an uncontrolled DLL search path. Specifically, when Insight Agent versions 3.0.1 to 3.1.2.34 start, the Python interpreter attempts to load python3.dll at "C:\DLLs\python3.dll," which normally is writable by locally authenticated users. Because of this, a malicious local user could use Insight Agent's startup conditions to elevate to SYSTEM privileges. This issue was fixed in Rapid7 Insight Agent 3.1.2.35. This vulnerability is a regression of CVE-2019-5629. • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-5629 https://docs.rapid7.com/release-notes/insightagent/20211210 • CWE-427: Uncontrolled Search Path Element •
CVE-2019-5640 – Rapid7 Nexpose Information Disclosure after logout
https://notcve.org/view.php?id=CVE-2019-5640
Rapid7 Nexpose versions prior to 6.6.114 suffer from an information exposure issue whereby, when the user's session has ended due to inactivity, an attacker can use the inspect element browser feature to remove the login panel and view the details available in the last webpage visited by previous user Rapid7 Nexpose versiones anteriores a 6.6.114, sufren un problema de exposición de información por el que, cuando la sesión del usuario ha finalizado por inactividad, un atacante puede usar la funcionalidad inspect element browser para eliminar el panel de acceso y visualizar los detalles disponibles en la última página web visitada por el usuario anterior • https://docs.rapid7.com/release-notes/nexpose/20211117 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-31868 – Rapid7 Nexpose Security Console Ticket Access Authentication Vulnerability
https://notcve.org/view.php?id=CVE-2021-31868
Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket. This issue was resolved in version 6.6.96, released on August 4, 2021. Rapid7 Nexpose versiones 6.6.95 y anteriores, permiten a usuarios autenticados de la Consola de Seguridad visualizar y editar cualquier ticket en la funcionalidad legacy ticketing, independientemente de la asignación del ticket. Este problema fue resuelto en versión 6.6.96, publicada el 4 de agosto de 2021. • https://docs.rapid7.com/release-notes/nexpose/20210804 • CWE-306: Missing Authentication for Critical Function •