OpenCVE

Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Rapid7	Insight Platform

Configuration 1 [-]

cpe:2.3:a:rapid7:insight_platform:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cwe.mitre.org/data/definitions/862.html

History

Tue, 17 Sep 2024 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rapid7 Rapid7 insight Platform
CPEs		cpe:2.3:a:rapid7:insight_platform::::::::
Vendors & Products		Rapid7 Rapid7 insight Platform

Mon, 09 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Sep 2024 15:15:00 +0000

Type	Values Removed	Values Added
Description		Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.
Title		Rapid7 Insight Platform Unauthorized Empty Group Creation
Weaknesses		CWE-862
References		https://cwe.mitre.org/data/definitions/862.html
Metrics		cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2024-09-09T15:02:38.681Z

Updated: 2024-09-09T17:12:45.623Z

Reserved: 2024-08-21T15:43:31.979Z

Link: CVE-2024-8042

Vulnrichment

Updated: 2024-09-09T17:12:42.532Z

NVD

Status : Analyzed

Published: 2024-09-09T15:15:12.340

Modified: 2024-09-17T17:25:02.330

Link: CVE-2024-8042

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8042", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "state": "PUBLISHED", "assignerShortName": "rapid7", "dateReserved": "2024-08-21T15:43:31.979Z", "datePublished": "2024-09-09T15:02:38.681Z", "dateUpdated": "2024-09-09T17:12:45.623Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Insight Platform", "vendor": "Rapid7", "versions": [{"lessThan": "08/14/2024", "status": "affected", "version": "11/2019", "versionType": "date"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Abhik Makwana (mAd13)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.<br>"}], "value": "Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2024-09-09T15:02:38.681Z"}, "references": [{"url": "https://cwe.mitre.org/data/definitions/862.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Rapid7 Insight Platform Unauthorized Empty Group Creation", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-09T17:12:36.190853Z", "id": "CVE-2024-8042", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T17:12:45.623Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8042", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-09T17:12:36.190853Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T17:12:42.532Z"}}], "cna": {"title": "Rapid7 Insight Platform Unauthorized Empty Group Creation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Abhik Makwana (mAd13)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Rapid7", "product": "Insight Platform", "versions": [{"status": "affected", "version": "11/2019", "lessThan": "08/14/2024", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cwe.mitre.org/data/definitions/862.html"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.", "supportingMedia": [{"type": "text/html", "value": "Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2024-09-09T15:02:38.681Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8042", "state": "PUBLISHED", "dateUpdated": "2024-09-09T17:12:45.623Z", "dateReserved": "2024-08-21T15:43:31.979Z", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "datePublished": "2024-09-09T15:02:38.681Z", "assignerShortName": "rapid7"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:insight_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD09D559-3A19-41AD-BAA3-B6982640BF7A", "versionEndExcluding": "2024-08-14", "versionStartIncluding": "2019-11-01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024."}, {"lang": "es", "value": "Las versiones de Rapid7 Insight Platform entre noviembre de 2019 y el 14 de agosto de 2024 sufren problemas de falta de autorizaci\u00f3n, por los cuales un atacante puede interceptar solicitudes locales para establecer el nombre y la descripci\u00f3n de un nuevo grupo de usuarios. Esto podr\u00eda provocar que se agregue un grupo de usuarios vac\u00edo al cliente incorrecto. Esta vulnerabilidad se solucion\u00f3 a partir del 14 de agosto de 2024."}], "id": "CVE-2024-8042", "lastModified": "2024-09-17T17:25:02.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2024-09-09T15:15:12.340", "references": [{"source": "cve@rapid7.com", "tags": ["Not Applicable"], "url": "https://cwe.mitre.org/data/definitions/862.html"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "cve@rapid7.com", "type": "Secondary"}]}