Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3913: Nexpose Release Notes

Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either spoof the update server’s FQDN or redirect legitimate traffic to the attacker’s server in order to exploit this vulnerability. Note that even in this scenario, an attacker could not normally replace an update package with a malicious package, since the update process validates a separate, code-signing certificate, distinct from the HTTPS certificate used for communication. This issue was resolved on February 1, 2023 in update 6.6.178 of Nexpose and InsightVM.

CVE
#vulnerability#web#git#intel
  • Products

    • Insight Platform Solutions

    • Threat Intelligence

      THREAT COMMAND

    • Vulnerability Management

      INSIGHTVM

    • Dynamic Application Security Testing

      INSIGHTAPPSEC

    • Orchestration & Automation (SOAR)

      INSIGHTCONNECT

    • Cloud Security

      INSIGHTCLOUDSEC

*   More Solutions
*   Penetration Testing
    
    METASPLOIT
    
*   On-Prem Vulnerability Management
    
    NEXPOSE
    
*   Digital Forensics and Incident Response (DFIR)
    
    Velociraptor
    

*   Cloud Risk Complete
    
    Cloud Security with Unlimited Vulnerability Management
    
    Explore Offer
*   Managed Threat Complete
    
    MDR with Unlimited Risk Coverage
    
    Explore offer
  • Services

    • MANAGED SERVICES

    • Detection and Response

      24/7 MONITORING & REMEDIATION FROM MDR EXPERTS

    • Vulnerability Management

      PERFECTLY OPTIMIZED RISK ASSESSMENT

    • Application Security

      SCAN MANAGEMENT & VULNERABILITY VALIDATION

*   OTHER SERVICES
*   Security Advisory Services
    
    PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
    
*   Product Consulting
    
    QUICK-START & CONFIGURATION
    
*   Training & Certification
    
    SKILLS & ADVANCEMENT
    
*   Penetration Services
    
    TEST YOUR DEFENSES IN REAL-TIME
    
*   IoT Security Testing
    
    SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
    
*   Premium Support
    
    PRIORITY HELP & FASTER SOLUTIONS
  • Support & Resources

    • SUPPORT

    • Support Portal

      CONTACT CUSTOMER SUPPORT

    • Product Documentation

      EXPLORE PRODUCT GUIDES

    • Release Notes

      DISCOVER THE LATEST PRODUCT UPDATES

    • RESOURCES

    • Fundamentals

      FOUNDATIONAL SECURITY KNOWLEDGE

    • Blog

      THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE

    • Resources Library

      E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS

    • Extensions Library

      PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY

    • Partners

      RAPID7 PARTNER ECOSYSTEM

    • Webcasts & Events

      UPCOMING OPPORTUNITIES TO CONNECT WITH US

    • Vulnerability & Exploit Database

      SEARCH THE LATEST SECURITY RESEARCH

  • Company

    • OVERVIEW

    • Leadership

      EXECUTIVE TEAM & BOARD

    • News & Press Releases

      THE LATEST FROM OUR NEWSROOM

    • Our Customers

      Their Success Stories

*   COMMUNITY & CULTURE
*   Social Good
    
    OUR COMMITMENT & APPROACH
    
*   Rapid7 Cybersecurity Foundation
    
    BUILDING THE FUTURE
    
*   Diversity, Equity & Inclusion
    
    EMPOWERING PEOPLE
    
*   Open Source
    
    STRENGTHENING CYBERSECURITY
    
*   Public Policy
    
    ENGAGEMENT & ADVOCACY
  • RESEARCH

  • Sign In

  • All Products

    • AppSpider
    • Insight Agent
    • InsightAppSec
    • InsightCloudSec
    • InsightConnect
    • Insight Platform
    • InsightIDR
    • Insight Network Sensor
    • InsightOps
    • InsightVM
    • Metasploit
    • Nexpose
    • tCell
    • Managed Services
  • Products

    • Insight Platform Solutions

    • Threat Intelligence

      THREAT COMMAND

    • Vulnerability Management

      INSIGHTVM

    • Dynamic Application Security Testing

      INSIGHTAPPSEC

    • Orchestration & Automation (SOAR)

      INSIGHTCONNECT

    • Cloud Security

      INSIGHTCLOUDSEC

*   More Solutions
*   Penetration Testing
    
    METASPLOIT
    
*   On-Prem Vulnerability Management
    
    NEXPOSE
    
*   Digital Forensics and Incident Response (DFIR)
    
    Velociraptor
    

*   Cloud Risk Complete
    
    Cloud Security with Unlimited Vulnerability Management
    
    Explore Offer
*   Managed Threat Complete
    
    MDR with Unlimited Risk Coverage
    
    Explore offer
  • Services

    • MANAGED SERVICES

    • Detection and Response

      24/7 MONITORING & REMEDIATION FROM MDR EXPERTS

    • Vulnerability Management

      PERFECTLY OPTIMIZED RISK ASSESSMENT

    • Application Security

      SCAN MANAGEMENT & VULNERABILITY VALIDATION

*   OTHER SERVICES
*   Security Advisory Services
    
    PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
    
*   Product Consulting
    
    QUICK-START & CONFIGURATION
    
*   Training & Certification
    
    SKILLS & ADVANCEMENT
    
*   Penetration Services
    
    TEST YOUR DEFENSES IN REAL-TIME
    
*   IoT Security Testing
    
    SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
    
*   Premium Support
    
    PRIORITY HELP & FASTER SOLUTIONS
  • Support & Resources

    • SUPPORT

    • Support Portal

      CONTACT CUSTOMER SUPPORT

    • Product Documentation

      EXPLORE PRODUCT GUIDES

    • Release Notes

      DISCOVER THE LATEST PRODUCT UPDATES

    • RESOURCES

    • Fundamentals

      FOUNDATIONAL SECURITY KNOWLEDGE

    • Blog

      THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE

    • Resources Library

      E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS

    • Extensions Library

      PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY

    • Partners

      RAPID7 PARTNER ECOSYSTEM

    • Webcasts & Events

      UPCOMING OPPORTUNITIES TO CONNECT WITH US

    • Vulnerability & Exploit Database

      SEARCH THE LATEST SECURITY RESEARCH

  • Company

    • OVERVIEW

    • Leadership

      EXECUTIVE TEAM & BOARD

    • News & Press Releases

      THE LATEST FROM OUR NEWSROOM

    • Our Customers

      Their Success Stories

*   COMMUNITY & CULTURE
*   Social Good
    
    OUR COMMITMENT & APPROACH
    
*   Rapid7 Cybersecurity Foundation
    
    BUILDING THE FUTURE
    
*   Diversity, Equity & Inclusion
    
    EMPOWERING PEOPLE
    
*   Open Source
    
    STRENGTHENING CYBERSECURITY
    
*   Public Policy
    
    ENGAGEMENT & ADVOCACY
  • RESEARCH

  • Sign In

  • Documentation

  • All Products

    • AppSpider

    • Insight Agent

    • InsightAppSec

    • InsightCloudSec

    • InsightConnect

    • Insight Platform

    • InsightIDR

    • Insight Network Sensor

    • InsightOps

    • InsightVM

    • Metasploit

    • Nexpose

    • tCell

    • Managed Services

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907