CVE-2024-8042

low-risk

Published 2024-09-09

Rapid7 Insight Platform versions between November 2019 and August 14, 2024 suffer from missing authorization issues whereby an attacker can intercept local requests to set the name and description of a new user group. This could potentially lead to an empty user group being added to the incorrect customer. This vulnerability is remediated as of August 14, 2024.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.4/10 Low

ADJACENT_NETWORK / HIGH complexity

Affected Products (1)

Insight Platform

Affected Vendors

Rapid7

References (1)

Not Applicable https://cwe.mitre.org/data/definitions/862.html

/ 100

low-risk

Severity 6/34 · Minimal

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal