Weak Encryption in Rapid7 Nexpose's Java Keystore
CVE-2017-5230

7.2HIGH

Key Information:

Vendor

Rapid7

Status
Nexpose
Vendor
CVE Published:
2 March 2017

What is CVE-2017-5230?

Rapid7 Nexpose's Java keystore across all versions before 6.4.50 uses a static, non-modifiable password, making stored scan credentials vulnerable to exposure. This design flaw compromises the security of stored credentials, as users are unable to change the default encryption password, thus potentially allowing unauthorized access to sensitive information.

Affected Version(s)

Nexpose 6.4.49 and prior

References

https://help.rapid7.com/nexpose/en-us/release-notes/#6.4.50
x_refsource_MISC
http://www.securityfocus.com/bid/96956
vdb-entryx_refsource_BID
https://community.rapid7.com/community/infosec/blog/2017/...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.