Vulnerability Description
In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel. This issue does not affect Rapid7 Komand version 0.42.0 and later versions.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rapid7 | Komand | <= 0.41.0 |
Related Weaknesses (CWE)
References
- https://docs.komand.com/docs/release-notes#section-komand-v0-42-0-2018-11-1Release NotesVendor Advisory
- https://www.alexanderjaeger.de/cve-2018-5559_my_first_cve/ExploitThird Party Advisory
- https://docs.komand.com/docs/release-notes#section-komand-v0-42-0-2018-11-1Release NotesVendor Advisory
- https://www.alexanderjaeger.de/cve-2018-5559_my_first_cve/ExploitThird Party Advisory
FAQ
What is CVE-2018-5559?
CVE-2018-5559 is a vulnerability with a CVSS score of 3.4 (LOW). In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring se...
How severe is CVE-2018-5559?
CVE-2018-5559 has been rated LOW with a CVSS base score of 3.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-5559?
Check the references section above for vendor advisories and patch information. Affected products include: Rapid7 Komand.