Rapid7 InsightVM Signature Validation Vulnerability

Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

密码学签名的验证不恰当

Rapid7 InsightVM 安全漏洞

Rapid7 InsightVM是美国Rapid7公司的一款漏洞扫描和管理应用程序。 Rapid7 InsightVM 8.34.0之前版本存在安全漏洞，该漏洞源于断言消费者服务云端点的签名验证问题，可能导致攻击者未经授权访问通过安全控制台安装设置的InsightVM账户，造成账户接管。

N/A

N/A