Rapid7 Metasploit HTTP Handler Denial of Service
CVE-2019-5645

7.5HIGH

Key Information:

Vendor: Rapid7
Status: Metasploit Framework
Vendor: CVE Published:; 1 September 2020

What is CVE-2019-5645?

By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a resource exhaustion on the Metasploit server.

Affected Version(s)

Metasploit Framework 5.0.27

References

https://github.com/rapid7/metasploit-framework/pull/12433

x_refsource_MISC

EPSS Score

87% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 1, 2020
Vulnerability Reserved
Jan 7, 2019

Credit

This issue was reported by Jose Garduno of Dreamlab Technologies, AG