What is CVE-2017-5244?

CVE-2017-5244 is a low-severity vulnerability in Rapid7 Metasploit, classified under Cross-Site Request Forgery (CSRF). CVSS score: 3.5/10. Published 2017-06-15.

How severe is CVE-2017-5244?

Low severity. CVSS v3 base score is 3.5 out of 10.

Is CVE-2017-5244 known to be exploited?

37 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

CSRF in Rapid7 Metasploit

CVE-2017-5244

Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an a…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.002 (42.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.5 (Low). Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L.

Affected products

Rapid7 Metasploit
Rapid7 Metasploit (Pro, Express, And Community Editions) — versions < 4.14.0 (Update 2017061301)

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

Public proof-of-concept exploits

References

cve@rapid7.com (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)
cve@rapid7.com (x_refsource_CONFIRM, Exploit, VDB Entry, Vendor Advisory)
cve@rapid7.com (Third Party Advisory, x_refsource_MISC)

Frequently asked questions

What is CVE-2017-5244?: CVE-2017-5244 is a low-severity vulnerability in Rapid7 Metasploit, classified under Cross-Site Request Forgery (CSRF). CVSS score: 3.5/10. Published 2017-06-15.
How severe is CVE-2017-5244?: Low severity. CVSS v3 base score is 3.5 out of 10.
Is CVE-2017-5244 known to be exploited?: 37 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.