Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.
busterb at 2019-11-14T18:11:16.616954Z reported: This requires authentication via a remote shell in order to be effective. If an adversary is on your Metasploit Pro machine such that they can access the key in the first place, it's already game-over. So, having the web-server certificate key (which is by default a fake cert anyway) is unlikely to be a high risk for a Metasploit Pro user.
Assessed Attacker Value: 1 Assessed Exploitability: 1