CVE-2024-8042

Rapid7 Insight Platform Unauthorized Empty Group Creation

CVSS 2.4 LOWEPSS 0.2%CWE-862

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2.4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

09 Sep 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

Affected products

Rapid7 · Insight Platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cwe.mitre.org/data/definitions/862.html