Rapid7 Metasploit Pro version 4.16.0-2019081901 Incorrect Permission Assignment for Critical Resource Vulnerability

Summary

Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers, wherein the unique server.key is written to the file system during installation with world-readable permissions. 

 

 

 

Credit:

The information has been provided by Vendor

The original article can be found at:https://help.rapid7.com/metasploit/release-notes/?rid=4.16.0-2019091001

 


Details

This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.

 

Vulnerable Systems:

Rapid7 Metasploit Pro version 4.16.0-2019081901 

 

CVE Information:

CVE-2019-5642

 

Disclosure Timeline:
Published Date:11/6/2019