CVE-2020-7358

MEDIUM

Rapid7 Appspider < 7.2.126 - Uncontrolled Search Path

Title source: rule

Description

In AppSpider installer versions prior to 7.2.126, the AppSpider installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during an installation and any arbitrary code executable using the same file name.

References (1)

[Release Notes, Vendor Advisory] https://help.rapid7.com/appspider/release-notes/index.html?pid=7.2.126

Scores

CVSS v3 5.8

EPSS 0.0008

EPSS Percentile 23.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L

Classification

CWE

CWE-427

Status published

Affected Products (1)

rapid7/appspider < 7.2.126

Timeline

Published Sep 18, 2020

Tracked Since Feb 18, 2026