CVE-2021-4016

Rapid7 Insight Agent Improper Access Control

CVSS 4 MEDIUMEPSS 0.2%CWE-284

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

21 Jan 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. An attacker can access, read and copy any of the files in this directory e.g. asset_info.json or file_info.json, leading to a loss of confidentiality. This issue was fixed in Rapid7 Insight Agent 3.1.3.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

Rapid7 · Insight Agent

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.rapid7.com/release-notes/insightagent/20220119/