CVE-2019-5631 HIGH

CVE-2019-5631: Rapid7 InsightAppSec Local Privilege Escalation

Vendor Rapid7
Product InsightAppSec
Weakness CWE-427
Published August 19, 2019
Last update September 16, 2024

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of the product. If exploited, a local user of the system (who must already be authenticated to the operating system) can elevate their privileges with this vulnerability to the privilege level of InsightAppSec (usually, SYSTEM). This issue affects version 2019.06.24 and prior versions of the product.

Key dates

02Disclosure timeline

August 19, 2019 CVE published
September 16, 2024 Record updated