CVE-2017-5244 - Vulnerability Details - OpenCVE

Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenticated user to execute JavaScript. As of Metasploit 4.14.0 (Update 2017061301), the routes for stopping tasks only allow POST requests, which validate the presence of a secret token to prevent CSRF attacks.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rapid7	Metasploit

Configuration 1 [-]

cpe:2.3:a:rapid7:metasploit:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/99082
https://community.rapid7.com/community/metasploit/blog/2017/06/15/r7-2017-16-cve-2017-5244-lack-of-csrf-protection-for-stopping-tasks-in-metasploit-pro-express-and-community-editions-fixed
https://www.seekurity.com/blog/general/metasploit-web-project-kill-all-running-tasks-csrf-CVE-2017-5244/

History

No history.

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2017-06-15T14:00:00

Updated: 2024-08-05T14:55:35.787Z

Reserved: 2017-01-09T00:00:00

Link: CVE-2017-5244

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-06-15T14:29:00.213

Modified: 2024-11-21T03:27:21.553

Link: CVE-2017-5244

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Metasploit (Pro, Express, and Community editions)", "vendor": "Rapid7", "versions": [{"status": "affected", "version": "< 4.14.0 (Update 2017061301)"}]}], "datePublic": "2017-06-14T00:00:00", "descriptions": [{"lang": "en", "value": "Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenticated user to execute JavaScript. As of Metasploit 4.14.0 (Update 2017061301), the routes for stopping tasks only allow POST requests, which validate the presence of a secret token to prevent CSRF attacks."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 (Cross-Site Request Forgery)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-06-16T09:57:01", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"name": "99082", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99082"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://community.rapid7.com/community/metasploit/blog/2017/06/15/r7-2017-16-cve-2017-5244-lack-of-csrf-protection-for-stopping-tasks-in-metasploit-pro-express-and-community-editions-fixed"}, {"tags": ["x_refsource_MISC"], "url": "https://www.seekurity.com/blog/general/metasploit-web-project-kill-all-running-tasks-csrf-CVE-2017-5244/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "ID": "CVE-2017-5244", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Metasploit (Pro, Express, and Community editions)", "version": {"version_data": [{"version_value": "< 4.14.0 (Update 2017061301)"}]}}]}, "vendor_name": "Rapid7"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenticated user to execute JavaScript. As of Metasploit 4.14.0 (Update 2017061301), the routes for stopping tasks only allow POST requests, which validate the presence of a secret token to prevent CSRF attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 (Cross-Site Request Forgery)"}]}]}, "references": {"reference_data": [{"name": "99082", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99082"}, {"name": "https://community.rapid7.com/community/metasploit/blog/2017/06/15/r7-2017-16-cve-2017-5244-lack-of-csrf-protection-for-stopping-tasks-in-metasploit-pro-express-and-community-editions-fixed", "refsource": "CONFIRM", "url": "https://community.rapid7.com/community/metasploit/blog/2017/06/15/r7-2017-16-cve-2017-5244-lack-of-csrf-protection-for-stopping-tasks-in-metasploit-pro-express-and-community-editions-fixed"}, {"name": "https://www.seekurity.com/blog/general/metasploit-web-project-kill-all-running-tasks-csrf-CVE-2017-5244/", "refsource": "MISC", "url": "https://www.seekurity.com/blog/general/metasploit-web-project-kill-all-running-tasks-csrf-CVE-2017-5244/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:55:35.787Z"}, "title": "CVE Program Container", "references": [{"name": "99082", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99082"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://community.rapid7.com/community/metasploit/blog/2017/06/15/r7-2017-16-cve-2017-5244-lack-of-csrf-protection-for-stopping-tasks-in-metasploit-pro-express-and-community-editions-fixed"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.seekurity.com/blog/general/metasploit-web-project-kill-all-running-tasks-csrf-CVE-2017-5244/"}]}]}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2017-5244", "datePublished": "2017-06-15T14:00:00", "dateReserved": "2017-01-09T00:00:00", "dateUpdated": "2024-08-05T14:55:35.787Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rapid7:metasploit:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0B5DBE6-9BC1-47DD-9F27-AAED6E2E9501", "versionEndIncluding": "4.13.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenticated user to execute JavaScript. As of Metasploit 4.14.0 (Update 2017061301), the routes for stopping tasks only allow POST requests, which validate the presence of a secret token to prevent CSRF attacks."}, {"lang": "es", "value": "Las rutas empleadas para dejar de ejecutar tareas de Metasploit (espec\u00edficas o todas) permit\u00edan peticiones GET. Solo deber\u00edan haberse permitido las peticiones POST, ya que las rutas stop/stop_all cambian el estado del servicio. Esto podr\u00eda haber permitido que un atacante detenga las tareas de Metasploit actualmente en ejecuci\u00f3n haciendo que un usuario autenticado ejecute JavaScript. En Metasploit 4.14.0 (Update 2017061301), las rutas para detener tareas solo permiten peticiones POST, que validan la presencia de un token secreto para evitar ataques Cross-Site Request Forgery (CSRF)."}], "id": "CVE-2017-5244", "lastModified": "2024-11-21T03:27:21.553", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-15T14:29:00.213", "references": [{"source": "cve@rapid7.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99082"}, {"source": "cve@rapid7.com", "tags": ["Exploit", "VDB Entry", "Vendor Advisory"], "url": "https://community.rapid7.com/community/metasploit/blog/2017/06/15/r7-2017-16-cve-2017-5244-lack-of-csrf-protection-for-stopping-tasks-in-metasploit-pro-express-and-community-editions-fixed"}, {"source": "cve@rapid7.com", "tags": ["Third Party Advisory"], "url": "https://www.seekurity.com/blog/general/metasploit-web-project-kill-all-running-tasks-csrf-CVE-2017-5244/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99082"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "VDB Entry", "Vendor Advisory"], "url": "https://community.rapid7.com/community/metasploit/blog/2017/06/15/r7-2017-16-cve-2017-5244-lack-of-csrf-protection-for-stopping-tasks-in-metasploit-pro-express-and-community-editions-fixed"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.seekurity.com/blog/general/metasploit-web-project-kill-all-running-tasks-csrf-CVE-2017-5244/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "cve@rapid7.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}