Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation

🗓️ 06 Sep 2020 00:00:00Reported by Angelo D'AmatoType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 135 Views

Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation, unquoted element, local privilege escalation risk

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2020-7382
3 Sep 202013:55
cve
Cvelist		CVE-2020-7382 Unquoted Path in Rapid7 Nexpose Installer
3 Sep 202013:55
cvelist
EUVD		EUVD-2020-28509
7 Oct 202500:30
euvd
NVD		CVE-2020-7382
3 Sep 202014:15
nvd
OSV		CVE-2020-7382
3 Sep 202014:15
osv
Prion		Path traversal
3 Sep 202014:15
prion
RedhatCVE		CVE-2020-7382
22 May 202516:48
redhatcve
<html><body><p>Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation


Vendor: Rapid7
Product web page: https://www.rapid7.com
Affected version: &lt;=6.6.39

Summary: Rapid7 Nexpose is a vulnerability scanner which aims to support
the entire vulnerability management lifecycle, including discovery, detection,
verification, risk classification, impact analysis, reporting and mitigation.
It integrates with Rapid7's Metasploit for vulnerability exploitation.

Desc: Rapid7 Nexpose installer version prior to 6.6.40 uses a search path
that contains an unquoted element, in which the element contains whitespace
or other separators. This can cause the product to access resources in a parent
path, allowing local privilege escalation.

Tested on: Microsoft Windows 10 Enterprise, x64-based PC
           Microsoft Windows Server 2016 Standard, x64-based PC


Vulnerability discovered by Angelo D'Amato
                            @zeroscience


Advisory ID: ZSL-2019-5587
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5587.php


07.08.2020

--


C:\Users\test&gt;sc qc nexposeengine
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: nexposeengine
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\rapid7\nexpose\nse\bin\nxengine.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Nexpose Scan Engine
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
</p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Sep 2020 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 24.4
CVSS 3.16.5 - 6.8
EPSS0.00096
rapid7nexposeinstallerlocalprivilege escalationvulnerabilityscannerversionmicrosoft windows 10server 2016cve-2020-7382vulnerability discoveredvendorpatchcreditszero science labexploit.
135