Vulnerability Description
Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rapid7 | Insightvm | < 6.6.172 |
| Rapid7 | Nexpose | < 6.6.172 |
Related Weaknesses (CWE)
References
- https://docs.rapid7.com/release-notes/insightvm/20221207/Release NotesVendor Advisory
- https://docs.rapid7.com/release-notes/nexpose/20221207/Release NotesVendor Advisory
- https://www.rapid7.com/blog/post/2022/12/7/cve-2022-4261-rapid7-nexpose-update-vExploitMitigationVendor Advisory
- https://docs.rapid7.com/release-notes/insightvm/20221207/Release NotesVendor Advisory
- https://docs.rapid7.com/release-notes/nexpose/20221207/Release NotesVendor Advisory
- https://www.rapid7.com/blog/post/2022/12/7/cve-2022-4261-rapid7-nexpose-update-vExploitMitigationVendor Advisory
FAQ
What is CVE-2022-4261?
CVE-2022-4261 is a vulnerability with a CVSS score of 4.4 (MEDIUM). Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the...
How severe is CVE-2022-4261?
CVE-2022-4261 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-4261?
Check the references section above for vendor advisories and patch information. Affected products include: Rapid7 Insightvm, Rapid7 Nexpose.