CVE-2024-3185 MEDIUM

CVE-2024-3185: Rapid7 Insight Agent Sensitive Key Exposed To Local Users

Vendor Rapid7
Product Insight Agent
Weakness CWE-1284
Published April 23, 2024
Last update August 1, 2024

CVSS base score

6.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H

What the vulnerability does

01Description

A key used in logging.json does not follow the least privilege principle by default and is exposed to local users in the Rapid7 Platform. This allows an attacker with local access to a machine with the logging.json file to use that key to authenticate to the platform with high privileges. This was fixed in the Rapid7 platform starting 3 April 2024 via the introduction of a restricted role and the removal of automatic API key generation on installation of an agent.

Key dates

02Disclosure timeline

April 23, 2024 CVE published
August 1, 2024 Record updated