CVE-2024-8042

Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cwe.mitre.org/data/definitions/862.html	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:rapid7:insight_platform:*:*:*:*:*:*:*:*

History

17 Sep 2024, 17:25

Type	Values Removed	Values Added
Summary		(es) Las versiones de Rapid7 Insight Platform entre noviembre de 2019 y el 14 de agosto de 2024 sufren problemas de falta de autorización, por los cuales un atacante puede interceptar solicitudes locales para establecer el nombre y la descripción de un nuevo grupo de usuarios. Esto podría provocar que se agregue un grupo de usuarios vacío al cliente incorrecto. Esta vulnerabilidad se solucionó a partir del 14 de agosto de 2024.
First Time		Rapid7 insight Platform Rapid7
CVSS	v2 : ~~unknown~~ v3 : ~~2.4~~	v2 : unknown v3 : 3.1
CPE		cpe:2.3:a:rapid7:insight_platform::::::::
References	~~() https://cwe.mitre.org/data/definitions/862.html -~~	() https://cwe.mitre.org/data/definitions/862.html - Not Applicable

09 Sep 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-09 15:15

Updated : 2024-09-17 17:25

NVD link : CVE-2024-8042

Mitre link : CVE-2024-8042

CVE.ORG link : CVE-2024-8042

JSON object : View

Products Affected

rapid7

insight_platform

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-8042", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Secondary", "source": "cve@rapid7.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 0.7}]}, "published": "2024-09-09T15:15:12.340", "references": [{"url": "https://cwe.mitre.org/data/definitions/862.html", "tags": ["Not Applicable"], "source": "cve@rapid7.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "cve@rapid7.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024."}, {"lang": "es", "value": "Las versiones de Rapid7 Insight Platform entre noviembre de 2019 y el 14 de agosto de 2024 sufren problemas de falta de autorizaci\u00f3n, por los cuales un atacante puede interceptar solicitudes locales para establecer el nombre y la descripci\u00f3n de un nuevo grupo de usuarios. Esto podr\u00eda provocar que se agregue un grupo de usuarios vac\u00edo al cliente incorrecto. Esta vulnerabilidad se solucion\u00f3 a partir del 14 de agosto de 2024."}], "lastModified": "2024-09-17T17:25:02.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:insight_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD09D559-3A19-41AD-BAA3-B6982640BF7A", "versionEndExcluding": "2024-08-14", "versionStartIncluding": "2019-11-01"}], "operator": "OR"}]}], "sourceIdentifier": "cve@rapid7.com"}