Vulnerabilites related to Rapid7 - Metasploit Framework
CVE-2019-5645 (GCVE-0-2019-5645)
Vulnerability from cvelistv5
Published
2020-09-01 14:35
Modified
2024-09-17 03:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a resource exhaustion on the Metasploit server.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/rapid7/metasploit-framework/pull/12433 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Metasploit Framework |
Version: 5.0.27 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:52.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/12433"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Metasploit Framework",
"vendor": "Rapid7",
"versions": [
{
"lessThanOrEqual": "5.0.27",
"status": "affected",
"version": "5.0.27",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was reported by Jose Garduno of Dreamlab Technologies, AG"
}
],
"datePublic": "2019-10-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a resource exhaustion on the Metasploit server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-01T14:35:12",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/12433"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Rapid7 Metasploit HTTP Handler Denial of Service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2019-10-09T14:54:00.000Z",
"ID": "CVE-2019-5645",
"STATE": "PUBLIC",
"TITLE": "Rapid7 Metasploit HTTP Handler Denial of Service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Metasploit Framework",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "5.0.27",
"version_value": "5.0.27"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was reported by Jose Garduno of Dreamlab Technologies, AG"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a resource exhaustion on the Metasploit server."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rapid7/metasploit-framework/pull/12433",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/12433"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5645",
"datePublished": "2020-09-01T14:35:12.880695Z",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-09-17T03:29:11.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5624 (GCVE-0-2019-5624)
Vulnerability from cvelistv5
Published
2019-04-30 16:53
Modified
2024-09-17 04:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/rapid7/metasploit-framework/pull/11716 | x_refsource_CONFIRM | |
| https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416 | x_refsource_CONFIRM | |
| https://blog.doyensec.com/2019/04/24/rubyzip-bug.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Metasploit Framework |
Version: 4.14.0 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:51.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/11716"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Metasploit Framework",
"vendor": "Rapid7",
"versions": [
{
"lessThanOrEqual": "4.14.0",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Doyensec, and reported privately by Luca Carettoni."
}
],
"datePublic": "2019-04-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-30T16:53:31",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/11716"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 4.15.0 or later."
}
],
"source": {
"discovery": "USER"
},
"title": "Rapid7 Metasploit Framework Zip Import Directory Traversal",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2019-04-24T18:00:00.000Z",
"ID": "CVE-2019-5624",
"STATE": "PUBLIC",
"TITLE": "Rapid7 Metasploit Framework Zip Import Directory Traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Metasploit Framework",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "4.14.0",
"version_value": "4.14.0"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Doyensec, and reported privately by Luca Carettoni."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rapid7/metasploit-framework/pull/11716",
"refsource": "CONFIRM",
"url": "https://github.com/rapid7/metasploit-framework/pull/11716"
},
{
"name": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416",
"refsource": "CONFIRM",
"url": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416"
},
{
"name": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html",
"refsource": "MISC",
"url": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 4.15.0 or later."
}
],
"source": {
"discovery": "USER"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5624",
"datePublished": "2019-04-30T16:53:31.816001Z",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-09-17T04:29:13.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7376 (GCVE-0-2020-7376)
Vulnerability from cvelistv5
Published
2020-08-24 19:10
Modified
2024-09-16 23:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-23 - Relative Path Traversal
Summary
The Metasploit Framework module "post/osx/gather/enum_osx module" is affected by a relative path traversal vulnerability in the get_keychains method which can be exploited to write arbitrary files to arbitrary locations on the host filesystem when the module is run on a malicious host.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/rapid7/metasploit-framework/issues/14008 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Metasploit Framework |
Version: 4.11.7 < 4.11.7* Version: 6.0.3 < 6.0.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:25:49.061Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/issues/14008"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Metasploit Framework",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "4.11.7*",
"status": "affected",
"version": "4.11.7",
"versionType": "custom"
},
{
"lessThan": "6.0.3",
"status": "affected",
"version": "6.0.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was reported, and fixed, by bcoles."
}
],
"datePublic": "2020-08-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Metasploit Framework module \"post/osx/gather/enum_osx module\" is affected by a relative path traversal vulnerability in the get_keychains method which can be exploited to write arbitrary files to arbitrary locations on the host filesystem when the module is run on a malicious host."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-24T19:10:17",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rapid7/metasploit-framework/issues/14008"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update to version 6.0.3 or later of the Metasploit Framework."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Rapid7 Metasploit Framework Relative Path Traversal in enum_osx module",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2020-08-17T10:00:00.000Z",
"ID": "CVE-2020-7376",
"STATE": "PUBLIC",
"TITLE": "Rapid7 Metasploit Framework Relative Path Traversal in enum_osx module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Metasploit Framework",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "4.11.7",
"version_value": "4.11.7"
},
{
"version_affected": "\u003c",
"version_name": "6.0.3",
"version_value": "6.0.3"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was reported, and fixed, by bcoles."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Metasploit Framework module \"post/osx/gather/enum_osx module\" is affected by a relative path traversal vulnerability in the get_keychains method which can be exploited to write arbitrary files to arbitrary locations on the host filesystem when the module is run on a malicious host."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23 Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rapid7/metasploit-framework/issues/14008",
"refsource": "CONFIRM",
"url": "https://github.com/rapid7/metasploit-framework/issues/14008"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update to version 6.0.3 or later of the Metasploit Framework."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2020-7376",
"datePublished": "2020-08-24T19:10:17.594819Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-16T23:35:28.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7385 (GCVE-0-2020-7385)
Vulnerability from cvelistv5
Published
2021-04-23 15:35
Modified
2024-09-17 01:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with elevated privileges, this can lead to a system compromise on the Metasploit workstation. Note that an attacker would have to lie in wait and entice the Metasploit user to run the affected module against a malicious endpoint in a "hack-back" type of attack. Metasploit is only vulnerable when the drb_remote_codeexec module is running. In most cases, this cannot happen automatically.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/rapid7/metasploit-framework/pull/14300 | x_refsource_MISC | |
| https://help.rapid7.com/metasploit/release-notes/archive/2020/10/ | x_refsource_MISC | |
| https://github.com/rapid7/metasploit-framework/pull/14335 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Metasploit Framework |
Version: 6.0.15 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:25:48.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/14300"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://help.rapid7.com/metasploit/release-notes/archive/2020/10/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/14335"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Metasploit Framework",
"vendor": "Rapid7",
"versions": [
{
"lessThanOrEqual": "6.0.15",
"status": "affected",
"version": "6.0.15",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Jeff Dileo of NCC Group, and reported to Rapid7 via Rapid7\u0027s coordinated vulnerability disclosure process, detailed here: https://www.rapid7.com/.well-known/security.txt"
}
],
"datePublic": "2020-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with elevated privileges, this can lead to a system compromise on the Metasploit workstation. Note that an attacker would have to lie in wait and entice the Metasploit user to run the affected module against a malicious endpoint in a \"hack-back\" type of attack. Metasploit is only vulnerable when the drb_remote_codeexec module is running. In most cases, this cannot happen automatically."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-23T15:35:19",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/14300"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://help.rapid7.com/metasploit/release-notes/archive/2020/10/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/14335"
}
],
"solutions": [
{
"lang": "en",
"value": "Do not run the drb_remote_codeexec module. After commit 659137da94fa2fe56ce5c44d611db3692bf7d2e5, the Metasploit Framework no longer ships with the affected module."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Metasploit Framework \u0027drb_remote_codeexec\u0027 code execution",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2020-10-22T17:09:00.000Z",
"ID": "CVE-2020-7385",
"STATE": "PUBLIC",
"TITLE": "Metasploit Framework \u0027drb_remote_codeexec\u0027 code execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Metasploit Framework",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "6.0.15",
"version_value": "6.0.15"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Jeff Dileo of NCC Group, and reported to Rapid7 via Rapid7\u0027s coordinated vulnerability disclosure process, detailed here: https://www.rapid7.com/.well-known/security.txt"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with elevated privileges, this can lead to a system compromise on the Metasploit workstation. Note that an attacker would have to lie in wait and entice the Metasploit user to run the affected module against a malicious endpoint in a \"hack-back\" type of attack. Metasploit is only vulnerable when the drb_remote_codeexec module is running. In most cases, this cannot happen automatically."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rapid7/metasploit-framework/pull/14300",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/14300"
},
{
"name": "https://help.rapid7.com/metasploit/release-notes/archive/2020/10/",
"refsource": "MISC",
"url": "https://help.rapid7.com/metasploit/release-notes/archive/2020/10/"
},
{
"name": "https://github.com/rapid7/metasploit-framework/pull/14335",
"refsource": "CONFIRM",
"url": "https://github.com/rapid7/metasploit-framework/pull/14335"
}
]
},
"solution": [
{
"lang": "en",
"value": "Do not run the drb_remote_codeexec module. After commit 659137da94fa2fe56ce5c44d611db3692bf7d2e5, the Metasploit Framework no longer ships with the affected module."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2020-7385",
"datePublished": "2021-04-23T15:35:19.277046Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-17T01:30:50.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7377 (GCVE-0-2020-7377)
Vulnerability from cvelistv5
Published
2020-08-24 19:10
Modified
2024-09-17 03:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-23 - Relative Path Traversal
Summary
The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the untar method which can be exploited to write arbitrary files to arbitrary locations on the host file system when the module is run on a malicious HTTP server.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/rapid7/metasploit-framework/issues/14015 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Metasploit Framework |
Version: 4.12.40 < 4.12.40* Version: 6.0.3 < 6.0.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:25:49.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/issues/14015"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Metasploit Framework",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "4.12.40*",
"status": "affected",
"version": "4.12.40",
"versionType": "custom"
},
{
"lessThan": "6.0.3",
"status": "affected",
"version": "6.0.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was reported, and fixed, by bcoles."
}
],
"datePublic": "2020-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Metasploit Framework module \"auxiliary/admin/http/telpho10_credential_dump\" module is affected by a relative path traversal vulnerability in the untar method which can be exploited to write arbitrary files to arbitrary locations on the host file system when the module is run on a malicious HTTP server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-24T19:10:17",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rapid7/metasploit-framework/issues/14015"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update to version 6.0.3 or later of the Metasploit Framework."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Rapid7 Metasploit Framework Relative Path Traversal in telpho10_credential_dump module",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2020-08-18T08:48:00.000Z",
"ID": "CVE-2020-7377",
"STATE": "PUBLIC",
"TITLE": "Rapid7 Metasploit Framework Relative Path Traversal in telpho10_credential_dump module"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Metasploit Framework",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "4.12.40",
"version_value": "4.12.40"
},
{
"version_affected": "\u003c",
"version_name": "6.0.3",
"version_value": "6.0.3"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was reported, and fixed, by bcoles."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Metasploit Framework module \"auxiliary/admin/http/telpho10_credential_dump\" module is affected by a relative path traversal vulnerability in the untar method which can be exploited to write arbitrary files to arbitrary locations on the host file system when the module is run on a malicious HTTP server."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23 Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rapid7/metasploit-framework/issues/14015",
"refsource": "CONFIRM",
"url": "https://github.com/rapid7/metasploit-framework/issues/14015"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update to version 6.0.3 or later of the Metasploit Framework."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2020-7377",
"datePublished": "2020-08-24T19:10:18.025073Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-17T03:43:45.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7350 (GCVE-0-2020-7350)
Vulnerability from cvelistv5
Published
2020-04-22 21:25
Modified
2024-09-17 00:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - OS Command Injection
Summary
Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer's hostname or service name. An attacker can create a specially-crafted hostname or service name to be imported by Metasploit from a variety of sources and trigger a command injection on the operator's terminal. Note, only the Metasploit Framework and products that expose the plugin system is susceptible to this issue -- notably, this does not include Rapid7 Metasploit Pro. Also note, this vulnerability cannot be triggered through a normal scan operation -- the attacker would have to supply a file that is processed with the db_import command.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/rapid7/metasploit-framework/issues/13026 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Metasploit Framework |
Version: 5.0.85 < 5.0.85 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:25:49.030Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/issues/13026"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Metasploit Framework",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "5.0.85",
"status": "affected",
"version": "5.0.85",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and reported to Rapid7 by javier aguinaga."
}
],
"datePublic": "2020-04-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer\u0027s hostname or service name. An attacker can create a specially-crafted hostname or service name to be imported by Metasploit from a variety of sources and trigger a command injection on the operator\u0027s terminal. Note, only the Metasploit Framework and products that expose the plugin system is susceptible to this issue -- notably, this does not include Rapid7 Metasploit Pro. Also note, this vulnerability cannot be triggered through a normal scan operation -- the attacker would have to supply a file that is processed with the db_import command."
}
],
"exploits": [
{
"lang": "en",
"value": "An exploit is available at the CONRIM link, along with the fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-23T20:11:53",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rapid7/metasploit-framework/issues/13026"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is resolved in Metasploit Pro version 5.0.85"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Metasploit Framework Plugin Libnotify Command Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2020-04-16T15:55:00.000Z",
"ID": "CVE-2020-7350",
"STATE": "PUBLIC",
"TITLE": "Metasploit Framework Plugin Libnotify Command Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Metasploit Framework",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "5.0.85",
"version_value": "5.0.85"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and reported to Rapid7 by javier aguinaga."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer\u0027s hostname or service name. An attacker can create a specially-crafted hostname or service name to be imported by Metasploit from a variety of sources and trigger a command injection on the operator\u0027s terminal. Note, only the Metasploit Framework and products that expose the plugin system is susceptible to this issue -- notably, this does not include Rapid7 Metasploit Pro. Also note, this vulnerability cannot be triggered through a normal scan operation -- the attacker would have to supply a file that is processed with the db_import command."
}
]
},
"exploit": [
{
"lang": "en",
"value": "An exploit is available at the CONRIM link, along with the fix."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rapid7/metasploit-framework/issues/13026",
"refsource": "CONFIRM",
"url": "https://github.com/rapid7/metasploit-framework/issues/13026"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is resolved in Metasploit Pro version 5.0.85"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2020-7350",
"datePublished": "2020-04-22T21:25:13.300204Z",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-09-17T00:51:34.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}