Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2019-5638
PUBLISHED
More InfoOfficial Page
Assigner-rapid7
Assigner Org ID-9974b330-7714-4307-a722-5648477acda7
View Known Exploited Vulnerability (KEV) details
Published At-21 Aug, 2019 | 19:36
Updated At-16 Sep, 2024 | 22:25
Rejected At-
▼CVE Numbering Authority (CNA)
Rapid7 Nexpose Insufficient Session Management

Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user account's current session is still valid after the password change, potentially allowing the attacker who originally compromised the credential to remain logged in and able to cause further damage.

Affected Products
Vendor
Rapid7 LLCRapid7
Product
Nexpose
Default Status
unaffected
Versions
Affected
  • From unspecified through 6.5.50 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-613CWE-613 Insufficient Session Expiration
Metrics
VersionBase scoreBase severityVector
3.18.7HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

This issue is resolved in versions 6.5.51 and later of Rapid7 Nexpose.

Configurations
Workarounds
Exploits
Credits
finder
This issue was discovered, and reported to Rapid7, by independent researcher Ashutosh Barot. It is being disclosed in accordance with Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/).
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://help.rapid7.com/nexpose/en-us/release-notes/archive/2019/02/
x_refsource_CONFIRM
https://docs.rapid7.com/insightvm/enable-insightvm-platform-login
vendor-advisory
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://help.rapid7.com/nexpose/en-us/release-notes/archive/2019/02/
x_refsource_CONFIRM
x_transferred
https://docs.rapid7.com/insightvm/enable-insightvm-platform-login
vendor-advisory
x_transferred
Details not found