CVE-2024-11401

Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform's User Interface). This vulnerability has been fixed as of November 13th 2024.

CVSS

No CVSS.

References

Link	Resource
https://cwe.mitre.org/data/definitions/862.html

Configurations

No configuration.

History

11 Dec 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-11 10:15

Updated : 2024-12-11 10:15

NVD link : CVE-2024-11401

Mitre link : CVE-2024-11401

CVE.ORG link : CVE-2024-11401

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-11401", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve@rapid7.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 5.3, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-12-11T10:15:06.013", "references": [{"url": "https://cwe.mitre.org/data/definitions/862.html", "source": "cve@rapid7.com"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "cve@rapid7.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform's User Interface). This vulnerability has been fixed as of November 13th 2024."}], "lastModified": "2024-12-11T10:15:06.013", "sourceIdentifier": "cve@rapid7.com"}

CVE-2024-11401

JSON object

Attach tags to CVE-2024-11401

Attach tags to `CVE-2024-11401`