CVE-2017-5243

HIGH

Rapid7 Nexpose <June 2017 - Info Disclosure

Title source: llm

Description

The default SSH configuration in Rapid7 Nexpose hardware appliances shipped before June 2017 does not specify desired algorithms for key exchange and other important functions. As a result, it falls back to allowing ALL algorithms supported by the relevant version of OpenSSH and makes the installations vulnerable to a range of MITM, downgrade, and decryption attacks.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://community.rapid7.com/community/nexpose/blog/2017/05/31/r7-2017-13-nexpose-hardware-appliance-ssh-enabled-obsolete-algorithms-cve-2017-5243

Scores

CVSS v3 8.5

EPSS 0.0051

EPSS Percentile 39.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-327

Status published

Products (2)

rapid7/nexpose < 6.4.40

Rapid7/Nexpose hardware appliance All Nexpose hardware appliances shipped before June 2017.

Published Jun 06, 2017

Tracked Since Feb 18, 2026