CVE-2024-6504 - OpenCVE

Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rapid7	Insightvm

Configuration 1 [-]

cpe:2.3:a:rapid7:insightvm:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://docs.rapid7.com/release-notes/insightvm/20240717/

History

Tue, 10 Sep 2024 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rapid7 Rapid7 insightvm
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:rapid7:insightvm::::::::
Vendors & Products		Rapid7 Rapid7 insightvm

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2024-07-18T09:32:03.231Z

Updated: 2024-08-01T21:41:03.465Z

Reserved: 2024-07-04T08:52:01.833Z

Link: CVE-2024-6504

Vulnrichment

Updated: 2024-08-01T21:41:03.465Z

NVD

Status : Analyzed

Published: 2024-07-18T10:15:03.373

Modified: 2024-09-10T13:53:28.387

Link: CVE-2024-6504

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6504", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "state": "PUBLISHED", "assignerShortName": "rapid7", "dateReserved": "2024-07-04T08:52:01.833Z", "datePublished": "2024-07-18T09:32:03.231Z", "dateUpdated": "2024-08-01T21:41:03.465Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "InsightVM", "vendor": "Rapid7", "versions": [{"lessThan": "6.6.261", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2024-07-17T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261."}], "value": "Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "CWE-693", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2024-07-18T09:32:03.231Z"}, "references": [{"url": "https://docs.rapid7.com/release-notes/insightvm/20240717/"}], "source": {"discovery": "UNKNOWN"}, "title": "Rapid7 InsightVM Protection Mechanism Failure", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-18T13:11:07.364971Z", "id": "CVE-2024-6504", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-18T13:11:19.400Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.465Z"}, "title": "CVE Program Container", "references": [{"url": "https://docs.rapid7.com/release-notes/insightvm/20240717/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://docs.rapid7.com/release-notes/insightvm/20240717/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:41:03.465Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6504", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-18T13:11:07.364971Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-18T13:11:14.264Z"}}], "cna": {"title": "Rapid7 InsightVM Protection Mechanism Failure", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Rapid7", "product": "InsightVM", "versions": [{"status": "affected", "version": "0", "lessThan": "6.6.261", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2024-07-17T11:00:00.000Z", "references": [{"url": "https://docs.rapid7.com/release-notes/insightvm/20240717/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261.", "supportingMedia": [{"type": "text/html", "value": "Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2024-07-18T09:32:03.231Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6504", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:41:03.465Z", "dateReserved": "2024-07-04T08:52:01.833Z", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "datePublished": "2024-07-18T09:32:03.231Z", "assignerShortName": "rapid7"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:insightvm:*:*:*:*:*:*:*:*", "matchCriteriaId": "03CB4C38-684D-4FB7-9D19-0CD2E29595FF", "versionEndExcluding": "6.6.261", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261."}, {"lang": "es", "value": "Las versiones de Rapid7 InsightVM Console inferiores a 6.6.260 sufren una falla en el mecanismo de protecci\u00f3n mediante el cual un atacante con acceso de red a InsightVM Console puede provocar que se sobrecargue o falle al enviar repetidas solicitudes REST no v\u00e1lidas en un corto per\u00edodo de tiempo al puerto 443 de la consola, lo que provoca que la consola se bloquee. para ingresar a un bucle de registro de manejo de excepciones, agotando la CPU. No hay indicios de que un atacante pueda utilizar este m\u00e9todo para escalar privilegios, adquirir acceso no autorizado a datos u obtener control de recursos protegidos. Este problema se solucion\u00f3 en la versi\u00f3n 6.6.261."}], "id": "CVE-2024-6504", "lastModified": "2024-09-10T13:53:28.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2024-07-18T10:15:03.373", "references": [{"source": "cve@rapid7.com", "tags": ["Vendor Advisory"], "url": "https://docs.rapid7.com/release-notes/insightvm/20240717/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-693"}], "source": "cve@rapid7.com", "type": "Secondary"}]}