CVE-2020-7384

Exploit

EPSS 70.09%
Veröffentlicht 29.10.2020 15:15:12
Zuletzt bearbeitet 21.11.2024 05:37:08
Quelle cve@rapid7.com
CVE-Watchlists
Login
Unerledigt
Login

Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rapid7 ≫ Metasploit Version < 4.19.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	70.09%	0.986

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
cve@rapid7.com	7	1	5.9	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

http://packetstormsecurity.com/files/160004/Rapid7-Metasploit-Framework-msfvenom-APK-Template-Command-Injection.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/161200/Metasploit-Framework-6.0.11-Command-Injection.html

Third Party Advisory

Exploit

VDB Entry

https://github.com/rapid7/metasploit-framework/pull/14288

Patch

Third Party Advisory

Exploit