Description
Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions.
Exploits (1)
References (3)
Core 3
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/rapid7/metasploit-framework/pull/11716
Release Notes, Vendor Advisory x_refsource_confirm
https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416
Exploit, Third Party Advisory x_refsource_misc
https://blog.doyensec.com/2019/04/24/rubyzip-bug.html
Scores
CVSS v3
7.3
EPSS
0.0437
EPSS Percentile
89.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (1)
rapid7/metasploit
< 4.14.0
Published
Apr 30, 2019
Tracked Since
Feb 18, 2026