CVE-2022-4261
Rapid7 Nexpose Update Validation Issue
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.
Las versiones de Rapid7 Nexpose e InsightVM anteriores a la 6.6.172 no lograron validar de manera confiable la autenticidad del contenido de la actualización. Este fallo podría permitir que un atacante proporcione una actualización maliciosa y altere la funcionalidad de Rapid7 Nexpose. El atacante necesitaría algún mecanismo preexistente para proporcionar una actualización maliciosa, ya sea mediante un esfuerzo de ingeniería social, acceso privilegiado para reemplazar las actualizaciones descargadas en tránsito o realizando un ataque de atacante en el medio en el propio servicio de actualización.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-12-01 CVE Reserved
- 2022-12-07 CVE Published
- 2024-06-29 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-494: Download of Code Without Integrity Check
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://www.rapid7.com/blog/post/2022/12/7/cve-2022-4261-rapid7-nexpose-update-validation-issue-fixed | 2024-08-03 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://docs.rapid7.com/release-notes/insightvm/20221207 | 2023-11-07 | |
https://docs.rapid7.com/release-notes/nexpose/20221207 | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Rapid7 Search vendor "Rapid7" | Insightvm Search vendor "Rapid7" for product "Insightvm" | < 6.6.172 Search vendor "Rapid7" for product "Insightvm" and version " < 6.6.172" | - |
Affected
| ||||||
Rapid7 Search vendor "Rapid7" | Nexpose Search vendor "Rapid7" for product "Nexpose" | < 6.6.172 Search vendor "Rapid7" for product "Nexpose" and version " < 6.6.172" | - |
Affected
|