Insightvm
CVE-2024-6504
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionNVD
Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261.
AnalysisAI
Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure whereby an attacker with network access to the InsightVM Console can cause it to overload or crash by sending repeated invalid REST requests in a short timeframe, to the Console's port 443 causing the console to enter an exception handling logging loop, exhausting the CPU. There is no indication that an attacker can use this method to escalate privilege, acquire unauthorized access to data, or gain control of protected resources. This issue is fixed in version 6.6.261. Affected products include: Rapid7 Insightvm. Version information: version 6.6.261..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Set resource limits, implement rate limiting, validate input sizes.
Rapid7 Nexpose and InsightVM versions prior to 6.6.172 failed to reliably validate the authenticity of update contents.
Users with Site-level permissions can access files containing the username-encrypted passwords of Security Console Globa
Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the abi
Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sens
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today