CVE-2019-5615 LOW

CVE-2019-5615: Rapid7 InsightVM Stored Credential Exposure

Vendor Rapid7
Product InsightVM
Weakness CWE-257
Published April 9, 2019
Last update September 17, 2024

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. Valid credentials are required to access these files and malicious users would still need to perform additional work to decrypt the credentials and escalate privileges. This issue affects: Rapid7 InsightVM versions 6.5.11 through 6.5.49.

Key dates

02Disclosure timeline

April 9, 2019 CVE published
September 17, 2024 Record updated