CVE-2019-5631

HIGH

Rapid7 Insightappsec < 2019.06.24 - Uncontrolled Search Path

Title source: rule

Description

The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of the product. If exploited, a local user of the system (who must already be authenticated to the operating system) can elevate their privileges with this vulnerability to the privilege level of InsightAppSec (usually, SYSTEM). This issue affects version 2019.06.24 and prior versions of the product.

References (1)

[Release Notes, Vendor Advisory] https://help.rapid7.com/insightappsec/release-notes/archive/2019/07/

Scores

CVSS v3 7.8

EPSS 0.0011

EPSS Percentile 29.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-427 CWE-426

Status published

Affected Products (1)

rapid7/insightappsec < 2019.06.24

Timeline

Published Aug 19, 2019

Tracked Since Feb 18, 2026