Rapid7 Nexpose SQL Injection
CVE-2022-0757

5.5MEDIUM

Key Information:

Vendor: Rapid7
Status: Nexpose
Vendor: CVE Published:; 17 March 2022

What is CVE-2022-0757?

Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. This lack of validation can allow a logged-in, authenticated attacker to manipulate the "ANY" and "OR" operators in the SearchCriteria and inject SQL code. This issue was fixed in Rapid7 Nexpose version 6.6.129.

Affected Version(s)

Nexpose 6.6.93

References

https://docs.rapid7.com/release-notes/nexpose/20220302/

x_refsource_CONFIRM

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 17, 2022
Vulnerability Reserved
Feb 24, 2022

Credit

Aleksey Solovev