// For flags

CVE-2019-5642

MAGICK

Severity Score

3.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.

Rapid7 Metasploit Pro versión 4.16.0-2019081901 y anterior, sufre de una instancia de CWE-732, en la que el único server.key es escrito en el sistema de archivos durante la instalación con permisos de tipo world-readable. Esto puede permitir a otros usuarios del mismo sistema donde está instalado Metasploit Pro, por otra parte interceptar comunicaciones privadas a la interfaz web de Metasploit Pro.

*Credits: This issue was discovered and reported to Rapid7 by Rodney Beele. It is being disclosed in accordance with Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/).
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-01-07 CVE Reserved
  • 2019-11-06 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Rapid7
Search vendor "Rapid7"
Metasploit
Search vendor "Rapid7" for product "Metasploit"
< 4.16.0
Search vendor "Rapid7" for product "Metasploit" and version " < 4.16.0"
pro
Affected
Rapid7
Search vendor "Rapid7"
Metasploit
Search vendor "Rapid7" for product "Metasploit"
4.16.0
Search vendor "Rapid7" for product "Metasploit" and version "4.16.0"
pro
Affected
Rapid7
Search vendor "Rapid7"
Metasploit
Search vendor "Rapid7" for product "Metasploit"
4.16.0
Search vendor "Rapid7" for product "Metasploit" and version "4.16.0"
20190722, pro
Affected
Rapid7
Search vendor "Rapid7"
Metasploit
Search vendor "Rapid7" for product "Metasploit"
4.16.0
Search vendor "Rapid7" for product "Metasploit" and version "4.16.0"
20190805, pro
Affected
Rapid7
Search vendor "Rapid7"
Metasploit
Search vendor "Rapid7" for product "Metasploit"
4.16.0
Search vendor "Rapid7" for product "Metasploit" and version "4.16.0"
2019081901, pro
Affected