Headline
CVE-2022-3913: Nexpose Release Notes
Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either spoof the update server’s FQDN or redirect legitimate traffic to the attacker’s server in order to exploit this vulnerability. Note that even in this scenario, an attacker could not normally replace an update package with a malicious package, since the update process validates a separate, code-signing certificate, distinct from the HTTPS certificate used for communication. This issue was resolved on February 1, 2023 in update 6.6.178 of Nexpose and InsightVM.
Products
Insight Platform Solutions
Threat Intelligence
THREAT COMMAND
Vulnerability Management
INSIGHTVM
Dynamic Application Security Testing
INSIGHTAPPSEC
Orchestration & Automation (SOAR)
INSIGHTCONNECT
Cloud Security
INSIGHTCLOUDSEC
* More Solutions
* Penetration Testing
METASPLOIT
* On-Prem Vulnerability Management
NEXPOSE
* Digital Forensics and Incident Response (DFIR)
Velociraptor
* Cloud Risk Complete
Cloud Security with Unlimited Vulnerability Management
Explore Offer
* Managed Threat Complete
MDR with Unlimited Risk Coverage
Explore offer
Services
MANAGED SERVICES
Detection and Response
24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
Vulnerability Management
PERFECTLY OPTIMIZED RISK ASSESSMENT
Application Security
SCAN MANAGEMENT & VULNERABILITY VALIDATION
* OTHER SERVICES
* Security Advisory Services
PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
* Product Consulting
QUICK-START & CONFIGURATION
* Training & Certification
SKILLS & ADVANCEMENT
* Penetration Services
TEST YOUR DEFENSES IN REAL-TIME
* IoT Security Testing
SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
* Premium Support
PRIORITY HELP & FASTER SOLUTIONS
Support & Resources
SUPPORT
Support Portal
CONTACT CUSTOMER SUPPORT
Product Documentation
EXPLORE PRODUCT GUIDES
Release Notes
DISCOVER THE LATEST PRODUCT UPDATES
RESOURCES
Fundamentals
FOUNDATIONAL SECURITY KNOWLEDGE
Blog
THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
Resources Library
E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
Extensions Library
PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
Partners
RAPID7 PARTNER ECOSYSTEM
Webcasts & Events
UPCOMING OPPORTUNITIES TO CONNECT WITH US
Vulnerability & Exploit Database
SEARCH THE LATEST SECURITY RESEARCH
Company
OVERVIEW
Leadership
EXECUTIVE TEAM & BOARD
News & Press Releases
THE LATEST FROM OUR NEWSROOM
Our Customers
Their Success Stories
* COMMUNITY & CULTURE
* Social Good
OUR COMMITMENT & APPROACH
* Rapid7 Cybersecurity Foundation
BUILDING THE FUTURE
* Diversity, Equity & Inclusion
EMPOWERING PEOPLE
* Open Source
STRENGTHENING CYBERSECURITY
* Public Policy
ENGAGEMENT & ADVOCACY
RESEARCH
Sign In
All Products
- AppSpider
- Insight Agent
- InsightAppSec
- InsightCloudSec
- InsightConnect
- Insight Platform
- InsightIDR
- Insight Network Sensor
- InsightOps
- InsightVM
- Metasploit
- Nexpose
- tCell
- Managed Services
Products
Insight Platform Solutions
Threat Intelligence
THREAT COMMAND
Vulnerability Management
INSIGHTVM
Dynamic Application Security Testing
INSIGHTAPPSEC
Orchestration & Automation (SOAR)
INSIGHTCONNECT
Cloud Security
INSIGHTCLOUDSEC
* More Solutions
* Penetration Testing
METASPLOIT
* On-Prem Vulnerability Management
NEXPOSE
* Digital Forensics and Incident Response (DFIR)
Velociraptor
* Cloud Risk Complete
Cloud Security with Unlimited Vulnerability Management
Explore Offer
* Managed Threat Complete
MDR with Unlimited Risk Coverage
Explore offer
Services
MANAGED SERVICES
Detection and Response
24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
Vulnerability Management
PERFECTLY OPTIMIZED RISK ASSESSMENT
Application Security
SCAN MANAGEMENT & VULNERABILITY VALIDATION
* OTHER SERVICES
* Security Advisory Services
PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
* Product Consulting
QUICK-START & CONFIGURATION
* Training & Certification
SKILLS & ADVANCEMENT
* Penetration Services
TEST YOUR DEFENSES IN REAL-TIME
* IoT Security Testing
SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
* Premium Support
PRIORITY HELP & FASTER SOLUTIONS
Support & Resources
SUPPORT
Support Portal
CONTACT CUSTOMER SUPPORT
Product Documentation
EXPLORE PRODUCT GUIDES
Release Notes
DISCOVER THE LATEST PRODUCT UPDATES
RESOURCES
Fundamentals
FOUNDATIONAL SECURITY KNOWLEDGE
Blog
THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
Resources Library
E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
Extensions Library
PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
Partners
RAPID7 PARTNER ECOSYSTEM
Webcasts & Events
UPCOMING OPPORTUNITIES TO CONNECT WITH US
Vulnerability & Exploit Database
SEARCH THE LATEST SECURITY RESEARCH
Company
OVERVIEW
Leadership
EXECUTIVE TEAM & BOARD
News & Press Releases
THE LATEST FROM OUR NEWSROOM
Our Customers
Their Success Stories
* COMMUNITY & CULTURE
* Social Good
OUR COMMITMENT & APPROACH
* Rapid7 Cybersecurity Foundation
BUILDING THE FUTURE
* Diversity, Equity & Inclusion
EMPOWERING PEOPLE
* Open Source
STRENGTHENING CYBERSECURITY
* Public Policy
ENGAGEMENT & ADVOCACY
RESEARCH
Sign In
Documentation
All Products
AppSpider
Insight Agent
InsightAppSec
InsightCloudSec
InsightConnect
Insight Platform
InsightIDR
Insight Network Sensor
InsightOps
InsightVM
Metasploit
Nexpose
tCell
Managed Services