Lucene search

Rapid7CVELIST:CVE-2020-7358

HistorySep 18, 2020 - 2:55 p.m.

CVE-2020-7358 Code Injection in Rapid7 AppSpider Pro Installer

2020-09-1814:55:12

CWE-427

rapid7

www.cve.org

5.8 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

12.7%

JSON

In AppSpider installer versions prior to 7.2.126, the AppSpider installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during an installation and any arbitrary code executable using the same file name.

CNA Affected

[
  {
    "product": "AppSpider ",
    "vendor": "Rapid7",
    "versions": [
      {
        "lessThan": "7.2.126",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

help.rapid7.com/appspider/release-notes/index.html?pid=7.2.126

5.8 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

12.7%

JSON

Related for CVELIST:CVE-2020-7358