CVE-2024-8042

Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.

CVSS v3 2.4 LOW

2.4^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.7 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://cwe.mitre.org/data/definitions/862.html	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:rapid7:insight_platform:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-09 15:15

Updated : 2024-09-17 17:25

NVD link : CVE-2024-8042

Mitre link : CVE-2024-8042

CVE.ORG link : CVE-2024-8042

JSON object : View

Products Affected

rapid7

insight_platform

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-8042", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@rapid7.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 0.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2024-09-09T15:15:12.340", "references": [{"url": "https://cwe.mitre.org/data/definitions/862.html", "tags": ["Not Applicable"], "source": "cve@rapid7.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@rapid7.com", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024."}, {"lang": "es", "value": "Las versiones de Rapid7 Insight Platform entre noviembre de 2019 y el 14 de agosto de 2024 sufren problemas de falta de autorizaci\u00f3n, por los cuales un atacante puede interceptar solicitudes locales para establecer el nombre y la descripci\u00f3n de un nuevo grupo de usuarios. Esto podr\u00eda provocar que se agregue un grupo de usuarios vac\u00edo al cliente incorrecto. Esta vulnerabilidad se solucion\u00f3 a partir del 14 de agosto de 2024."}], "lastModified": "2024-09-17T17:25:02.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:insight_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD09D559-3A19-41AD-BAA3-B6982640BF7A", "versionEndExcluding": "2024-08-14", "versionStartIncluding": "2019-11-01"}], "operator": "OR"}]}], "sourceIdentifier": "cve@rapid7.com"}