Rapid7 InsightVM Stored Credential Exposure
CVE-2019-5615

3.1LOW

Key Information:

Vendor: Rapid7
Status: Insightvm
Vendor: CVE Published:; 9 April 2019

What is CVE-2019-5615?

Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Global Administrators and clear-text passwords for restoring backups, as well as the salt for those passwords. Valid credentials are required to access these files and malicious users would still need to perform additional work to decrypt the credentials and escalate privileges. This issue affects: Rapid7 InsightVM versions 6.5.11 through 6.5.49.

Affected Version(s)

InsightVM 6.5.49

InsightVM 6.5.11 < 6.5.11*

References

https://help.rapid7.com/insightvm/en-us/release-notes/#6....

x_refsource_CONFIRM

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2019
Vulnerability Reserved
Jan 7, 2019

Credit

This issue was discovered, and reported to Rapid7, by Robert Elliott from IBM Security. It is being disclosed in accordance Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/).