{"containers": {"cna": {"affected": [{"product": "Metasploit Framework", "vendor": "Rapid7", "versions": [{"lessThanOrEqual": "4.14.0", "status": "affected", "version": "4.14.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered by Doyensec, and reported privately by Luca Carettoni."}], "datePublic": "2019-04-24T00:00:00", "descriptions": [{"lang": "en", "value": "Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-04-30T16:53:31", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rapid7/metasploit-framework/pull/11716"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html"}], "solutions": [{"lang": "en", "value": "Update to version 4.15.0 or later."}], "source": {"discovery": "USER"}, "title": "Rapid7 Metasploit Framework Zip Import Directory Traversal", "x_generator": {"engine": "Vulnogram 0.0.6"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2019-04-24T18:00:00.000Z", "ID": "CVE-2019-5624", "STATE": "PUBLIC", "TITLE": "Rapid7 Metasploit Framework Zip Import Directory Traversal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Metasploit Framework", "version": {"version_data": [{"platform": "", "version_affected": "<=", "version_name": "4.14.0", "version_value": "4.14.0"}]}}]}, "vendor_name": "Rapid7"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "This issue was discovered by Doyensec, and reported privately by Luca Carettoni."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.6"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rapid7/metasploit-framework/pull/11716", "refsource": "CONFIRM", "url": "https://github.com/rapid7/metasploit-framework/pull/11716"}, {"name": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416", "refsource": "CONFIRM", "url": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416"}, {"name": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html", "refsource": "MISC", "url": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html"}]}, "solution": [{"lang": "en", "value": "Update to version 4.15.0 or later."}], "source": {"discovery": "USER"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:01:51.586Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/rapid7/metasploit-framework/pull/11716"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html"}]}]}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2019-5624", "datePublished": "2019-04-30T16:53:31.816001Z", "dateReserved": "2019-01-07T00:00:00", "dateUpdated": "2024-09-17T04:29:13.622Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:metasploit:*:*:*:*:*:*:*:*", "matchCriteriaId": "006185B3-4A66-4A98-A991-831DCCA0C619", "versionEndIncluding": "4.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions."}, {"lang": "es", "value": "Rapid7 Metasploit Framework padece de una situaci\u00f3n de CWE-22, limitaci\u00f3n inapropiada de un Pathname a un directorio restringido ('Path Traversal') en la funci\u00f3n Zip import de Metasploit. La operaci\u00f3n de esta vulnerabilidad puede permitir a un atacante ejecutar c\u00f3digo arbitrario en Metasploit desde el nivel de privilegio del usuario que ejecuta Metasploit. Este problema afecta a: Rapid7 Metasploit Framework versi\u00f3n 4.14.0 y versiones anteriores."}], "id": "CVE-2019-5624", "lastModified": "2024-11-21T04:45:15.610", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.1, "impactScore": 5.8, "source": "cve@rapid7.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-30T17:29:01.087", "references": [{"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html"}, {"source": "cve@rapid7.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/rapid7/metasploit-framework/pull/11716"}, {"source": "cve@rapid7.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.doyensec.com/2019/04/24/rubyzip-bug.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/rapid7/metasploit-framework/pull/11716"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://help.rapid7.com/metasploit/release-notes/archive/2019/04/#20190416"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cve@rapid7.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}