CVE-2022-0757

Summary

Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. This lack of validation can allow a logged-in, authenticated attacker to manipulate the "ANY" and "OR" operators in the SearchCriteria and inject SQL code. This issue was fixed in Rapid7 Nexpose version 6.6.129.

Affected Software

VendorProductVersion RangeStatus
Rapid7Nexpose6.6.93 < 6.6.93affected

Weaknesses

  • CWE-89: CWE-89 SQL Injection

ADP Enrichment

CVE Program Container

Additional References

References