CVE-2019-5631
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of the product. If exploited, a local user of the system (who must already be authenticated to the operating system) can elevate their privileges with this vulnerability to the privilege level of InsightAppSec (usually, SYSTEM). This issue affects version 2019.06.24 and prior versions of the product.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Rapid7 | InsightAppSec | 2019.06.24 <= 2019.06.24 | affected |
Weaknesses
- CWE-427: CWE-427: Uncontrolled Search Path Element
Workarounds
If the patching update (2019.07.08 and above) cannot be applied, system administrators of machines running Rapid7 InsightAppSec should not grant local logon privileges to untrusted users.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.