CVE-2020-7381
Last modified
CVE-2020-7381 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during a Security Console installation and any arbitrary code executable using the same file name.. EPSS estimates a 0.68% chance of exploitation in the next 30 days.
Description
In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during a Security Console installation and any arbitrary code executable using the same file name.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Rapid7 | Nexpose | < 6.6.40 |
References
- https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.40Release Notes, Vendor Advisory
- https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.40Release Notes, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-7381?
How severe is CVE-2020-7381?
How do I fix CVE-2020-7381?
Are you affected by CVE-2020-7381?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST