CVE-2019-5642
LOWRapid7 Metasploit < 4.16.0 - Incorrect Permission Assignment
Title source: ruleDescription
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
References (1)
Core 1
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://help.rapid7.com/metasploit/release-notes/?rid=4.16.0-2019091001
Scores
CVSS v3
3.3
EPSS
0.0009
EPSS Percentile
26.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-732
Status
published
Products (2)
rapid7/metasploit
4.16.0 (4 CPE variants)
rapid7/metasploit
< 4.16.0
Published
Nov 06, 2019
Tracked Since
Feb 18, 2026