CVE-2019-5642 LOW

CVE-2019-5642: MAGICK

Vendor Rapid7
Product Metasploit Pro
Weakness CWE-732
Published November 6, 2019
Last update September 17, 2024

CVSS base score

3.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro web interface.

Key dates

02Disclosure timeline

November 6, 2019 CVE published
September 17, 2024 Record updated