CVE-2019-5624
Summary
| CVE | CVE-2019-5624 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-04-30 17:29:00 UTC |
| Updated | 2023-02-01 02:22:00 UTC |
| Description | Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions. |
Risk And Classification
Problem Types: CWE-22
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Rapid7 | Metasploit | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Zip import directory traversal mitigation by sgonzalez-r7 · Pull Request #11716 · rapid7/metasploit-framework · GitHub | CONFIRM | github.com | Exploit, Patch, Third Party Advisory |
| On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624) · Doyensec's Blog | MISC | blog.doyensec.com | Exploit, Third Party Advisory |
| Metasploit Release Notes Archive - April 2019 | CONFIRM | help.rapid7.com | Release Notes, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: This issue was discovered by Doyensec, and reported privately by Luca Carettoni.
There are currently no legacy QID mappings associated with this CVE.