Lucene search

Rapid7CVELIST:CVE-2024-8042

HistorySep 09, 2024 - 3:02 p.m.

CVE-2024-8042 Rapid7 Insight Platform Unauthorized Empty Group Creation

2024-09-0915:02:38

CWE-862

rapid7

www.cve.org

rapid7 insight platform

unauthorized

empty group creation

missing authorization

intercept local requests

new user group

vulnerability

remediated

CVSS3

2.4

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

EPSS

Percentile

13.4%

JSON

Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Insight Platform",
    "vendor": "Rapid7",
    "versions": [
      {
        "lessThan": "08/14/2024",
        "status": "affected",
        "version": "11/2019",
        "versionType": "date"
      }
    ]
  }
]

References

cwe.mitre.org/data/definitions/862.html

CVSS3

2.4

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

EPSS

Percentile

13.4%

JSON

Related for CVELIST:CVE-2024-8042