Search criteria
26 vulnerabilities found for Velociraptor by Rapid7
CVE-2025-14728 (GCVE-0-2025-14728)
Vulnerability from nvd – Published: 2025-12-29 19:04 – Updated: 2025-12-30 22:26
VLAI?
Title
Rapid7 Velociraptor Directory Traversal Vulnerability
Summary
Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E".
Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.
Severity ?
6.8 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.75.6
(semver)
|
Credits
We thank @_chebuya for identifying and reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-30T21:54:55.659289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T22:26:47.316Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Velociraptor",
"repo": "https://github.com/Velocidex/velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.75.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis vulnerability only occurs on Velociraptor server running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected.\u003c/p\u003e\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "This vulnerability only occurs on Velociraptor server running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "We thank @_chebuya for identifying and reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a \".\", only encoding the final \".\" AS \"%2E\".\u003c/p\u003e\n\u003cp\u003eAlthough files can be written to incorrect locations, the containing directory must end with \"%2E\". This limits the impact of this vulnerability, and prevents it from overwriting critical files.\u003c/p\u003e"
}
],
"value": "Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a \".\", only encoding the final \".\" AS \"%2E\".\n\n\nAlthough files can be written to incorrect locations, the containing directory must end with \"%2E\". This limits the impact of this vulnerability, and prevents it from overwriting critical files."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T19:04:27.820Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Rapid7 Velociraptor Directory Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2025-14728",
"datePublished": "2025-12-29T19:04:27.820Z",
"dateReserved": "2025-12-15T16:45:47.021Z",
"dateUpdated": "2025-12-30T22:26:47.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6264 (GCVE-0-2025-6264)
Vulnerability from nvd – Published: 2025-06-20 02:01 – Updated: 2025-11-28 19:10
VLAI?
Title
Velociraptor priviledge escalation via UpdateConfig artifact
Summary
Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.
The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration.
This can lead to arbitrary command execution and endpoint takeover.
To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).
Severity ?
5.5 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.74.3
(semver)
|
Credits
We thank Christian Fünfhaus from Deutsche Bahn CSIRT for identifying and reporting this issue
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6264",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T19:10:10.273114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T19:10:18.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"url": "https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/"
},
{
"url": "https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Velociraptor",
"repo": "https://github.com/Velocidex/velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.74.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users who rely on artifacts to prevent dangerous actions from already privileged users."
}
],
"value": "Users who rely on artifacts to prevent dangerous actions from already privileged users."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "We thank Christian F\u00fcnfhaus from Deutsche Bahn CSIRT for identifying and reporting this issue"
}
],
"datePublic": "2025-06-19T00:44:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.\u0026nbsp; To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.\u003cbr\u003e\u003cbr\u003eThe Admin.Client.UpdateClientConfig is an artifact used to update the client\u0027s configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the \"Investigator\" role) to collect it from endpoints and update the configuration. \u003cbr\u003e\u003cbr\u003eThis can lead to arbitrary command execution and endpoint takeover.\u003cbr\u003e\u003cbr\u003eTo successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the \"Investigator\u0027 role).\u0026nbsp;"
}
],
"value": "Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.\u00a0 To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.\n\nThe Admin.Client.UpdateClientConfig is an artifact used to update the client\u0027s configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the \"Investigator\" role) to collect it from endpoints and update the configuration. \n\nThis can lead to arbitrary command execution and endpoint takeover.\n\nTo successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the \"Investigator\u0027 role)."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-22T23:23:30.800Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-6264/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Velociraptor priviledge escalation via UpdateConfig artifact",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To better restrict the types of artifacts users can run, the `basic artifacts` mechanism should be used as described\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts\"\u003ehttps://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts\u003c/a\u003e\u003cbr\u003e\u003cbr\u003eTo detect unintended privilege escalations in custom artifacts, users should run the artifact verifier as described here\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts\"\u003ehttps://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts\u003c/a\u003e"
}
],
"value": "To better restrict the types of artifacts users can run, the `basic artifacts` mechanism should be used as described\u00a0 https://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts \n\nTo detect unintended privilege escalations in custom artifacts, users should run the artifact verifier as described here\u00a0 https://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2025-6264",
"datePublished": "2025-06-20T02:01:33.993Z",
"dateReserved": "2025-06-19T00:22:46.272Z",
"dateUpdated": "2025-11-28T19:10:18.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-0914 (GCVE-0-2025-0914)
Vulnerability from nvd – Published: 2025-02-27 16:07 – Updated: 2025-02-27 16:19
VLAI?
Title
Velociraptor Shell Plugin Prevent_execve Bypass
Summary
An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.
Severity ?
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.73.4
(semver)
|
Credits
Darragh O'Reilly, SUSE
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T16:19:47.398915Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T16:19:54.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.73.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Darragh O\u0027Reilly, SUSE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access control issue in the VQL shell feature in Velociraptor Versions \u0026lt; 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.\u003cbr\u003e"
}
],
"value": "An improper access control issue in the VQL shell feature in Velociraptor Versions \u003c 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4."
}
],
"impacts": [
{
"capecId": "CAPEC-176",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-176 Configuration/Environment Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T16:07:49.577Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-0914/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Velociraptor Shell Plugin Prevent_execve Bypass",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2025-0914",
"datePublished": "2025-02-27T16:07:49.577Z",
"dateReserved": "2025-01-30T22:39:47.257Z",
"dateUpdated": "2025-02-27T16:19:54.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10526 (GCVE-0-2024-10526)
Vulnerability from nvd – Published: 2024-11-07 10:18 – Updated: 2024-11-07 18:31
VLAI?
Title
Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service
Summary
Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely. This issue is fixed in version 0.73.3.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
<0.73.2
(custom)
|
Credits
Jean-Baptiste Mesnard-Sense from Synackti
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "velociraptor",
"vendor": "rapid7",
"versions": [
{
"lessThan": "0.73.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T18:29:55.331358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T18:31:26.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"status": "affected",
"version": "\u003c0.73.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jean-Baptiste Mesnard-Sense from Synackti"
}
],
"datePublic": "2024-11-05T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor\u0027s files. By modifying Velociraptor\u0027s files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.\u0026nbsp; This issue is fixed in version 0.73.3."
}
],
"value": "Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor\u0027s files. By modifying Velociraptor\u0027s files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.\u00a0 This issue is fixed in version 0.73.3."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:D/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T10:29:26.459Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://docs.velociraptor.app/announcements/2024-cves/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2024-10526",
"datePublished": "2024-11-07T10:18:05.530Z",
"dateReserved": "2024-10-30T10:22:28.725Z",
"dateUpdated": "2024-11-07T18:31:26.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5950 (GCVE-0-2023-5950)
Vulnerability from nvd – Published: 2023-11-06 14:30 – Updated: 2024-09-05 13:42
VLAI?
Title
Rapid7 Velociraptor Reflected XSS
Summary
Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).
Severity ?
8.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.7.0-4
(custom)
|
Credits
Mathias Kujala
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:14:25.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.7.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T13:41:29.922872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:42:38.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.7.0-4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mathias Kujala"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user\u0027s web browser.\u0026nbsp;This vulnerability is fixed in\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;version 0.7.0-04 and a\u003c/span\u003e\u0026nbsp;patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user\u0027s web browser.\u00a0This vulnerability is fixed in\u00a0version 0.7.0-04 and a\u00a0patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T14:30:28.972Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.7.0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Rapid7 Velociraptor Reflected XSS ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2023-5950",
"datePublished": "2023-11-06T14:30:28.972Z",
"dateReserved": "2023-11-03T10:13:59.198Z",
"dateUpdated": "2024-09-05T13:42:38.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2226 (GCVE-0-2023-2226)
Vulnerability from nvd – Published: 2023-04-21 11:48 – Updated: 2025-02-04 20:33
VLAI?
Title
Velociraptor crashes while parsing some malformed PE or OLE files.
Summary
Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.
For this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.6.8
(semver)
|
Credits
Thanks to b1tg https://github.com/b1tg for reporting these issues and providing samples that trigger the crashes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T20:33:39.813217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T20:33:45.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Velocidex/velociraptor/releases",
"defaultStatus": "unaffected",
"modules": [
"PE Parser",
"OLE parser",
"Authenticode parser"
],
"packageName": "Velociraptor",
"platforms": [
"Windows"
],
"product": "Velociraptor",
"repo": "https://github.com/Velocidex/velociraptor/",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thanks to b1tg https://github.com/b1tg for reporting these issues and providing samples that trigger the crashes"
}
],
"datePublic": "2023-04-21T11:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to insufficient validation in the PE and OLE parsers in Rapid7\u0027s Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eFor this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Due to insufficient validation in the PE and OLE parsers in Rapid7\u0027s Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.\u00a0\n\nFor this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540 Overread Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-21T11:48:46.279Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://github.com/Velocidex/velociraptor"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade the clients to version 0.6.8-2"
}
],
"value": "Upgrade the clients to version 0.6.8-2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Velociraptor crashes while parsing some malformed PE or OLE files.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2023-2226",
"datePublished": "2023-04-21T11:48:46.279Z",
"dateReserved": "2023-04-21T11:40:07.131Z",
"dateUpdated": "2025-02-04T20:33:45.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0290 (GCVE-0-2023-0290)
Vulnerability from nvd – Published: 2023-01-18 21:10 – Updated: 2025-04-03 19:52
VLAI?
Title
Rapid7 Velociraptor directory traversal in client ID parameter
Summary
Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.
Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to "administrator" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the "investigator" role.
To exploit this vulnerability, the attacker must already have a Velociraptor user account at least "investigator" level, and be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.
This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
Severity ?
4.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.6.7-5
(semver)
|
Credits
Paul Alkemade from Telstra
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T15:57:02.778328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:52:44.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Velocidex/velociraptor/releases",
"defaultStatus": "unaffected",
"modules": [
"CreateCollection API"
],
"packageName": "Velociraptor",
"platforms": [
"Windows",
"Linux",
"MacOS",
"64 bit",
"32 bit"
],
"product": "Velociraptor",
"programFiles": [
"https://github.com/Velocidex/velociraptor/blob/master/services/launcher/launcher.go"
],
"programRoutines": [
{
"name": "ScheduleArtifactCollection()"
}
],
"repo": "https://github.com/Velocidex/velociraptor/",
"vendor": "Rapid7",
"versions": [
{
"changes": [
{
"at": "5",
"status": "unaffected"
}
],
"lessThan": "0.6.7-5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"\u003cbr\u003e"
}
],
"value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"\n"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Paul Alkemade from Telstra"
}
],
"datePublic": "2023-01-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\u003cbr\u003e\u003cbr\u003eNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\u003cbr\u003e\u003cp\u003eTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u0026nbsp;be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\u003c/p\u003e\u003cp\u003eThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\u003c/p\u003e"
}
],
"value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\n\nNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u00a0be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T21:10:42.929Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://github.com/Velocidex/velociraptor"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to 0.6.7-5\u003cbr\u003e"
}
],
"value": "Upgrade to 0.6.7-5\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-01-13T05:23:00.000Z",
"value": "Notification of the issue"
},
{
"lang": "en",
"time": "2023-01-17T02:00:00.000Z",
"value": "Release 0.6.7-5 made available on Github"
}
],
"title": "Rapid7 Velociraptor directory traversal in client ID parameter ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2023-0290",
"datePublished": "2023-01-18T21:10:42.929Z",
"dateReserved": "2023-01-13T15:10:30.966Z",
"dateUpdated": "2025-04-03T19:52:44.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0242 (GCVE-0-2023-0242)
Vulnerability from nvd – Published: 2023-01-18 20:57 – Updated: 2025-04-03 19:51
VLAI?
Title
Insufficient permission check in the VQL copy() function
Summary
Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.
The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor "investigator" role) to overwrite files on the server, including Velociraptor configuration files.
To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least "analyst") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).
This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy().
This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.6.7-5
(semver)
|
Credits
Paul Alkemade from Telstra
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.109Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T15:58:54.468796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:51:46.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Velocidex/velociraptor/releases",
"defaultStatus": "unaffected",
"modules": [
"VQL copy() function"
],
"packageName": "Velociraptor",
"platforms": [
"Linux",
"Windows",
"MacOS",
"64 bit",
"32 bit"
],
"product": "Velociraptor",
"programFiles": [
"https://github.com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go"
],
"programRoutines": [
{
"name": "copy()"
}
],
"repo": "https://github.com/Velocidex/velociraptor/",
"vendor": "Rapid7",
"versions": [
{
"changes": [
{
"at": "5",
"status": "unaffected"
}
],
"lessThan": "0.6.7-5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Velociraptor deployment with multiple users at lower roles than administrators, such as \"investigator\" and above."
}
],
"value": "Velociraptor deployment with multiple users at lower roles than administrators, such as \"investigator\" and above."
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Paul Alkemade from Telstra"
}
],
"datePublic": "2023-01-18T02:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.\u003cbr\u003e\u003cbr\u003eThe VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor \"investigator\" role) to overwrite files on the server, including Velociraptor configuration files.\u003cbr\u003e\u003cbr\u003eTo exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least \"analyst\") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).\u003cbr\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go\"\u003ehttps://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go\u003c/a\u003e\u003c/tt\u003e and program routines \u003ctt\u003ecopy()\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\u003c/p\u003e"
}
],
"value": "Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.\n\nThe VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor \"investigator\" role) to overwrite files on the server, including Velociraptor configuration files.\n\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least \"analyst\") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).\nThis vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy().\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-75",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-75 Manipulating Writeable Configuration Files"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T20:57:30.570Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to 0.6.7-5"
}
],
"value": "Upgrade to 0.6.7-5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-01-12T07:00:00.000Z",
"value": "Notification of the issue"
},
{
"lang": "en",
"time": "2023-01-17T02:00:00.000Z",
"value": "Release 0.6.7-5 made available on Github"
}
],
"title": "Insufficient permission check in the VQL copy() function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A valid workaround is to prevent the copy function in the Velociraptor allow list:\u003cbr\u003e\u003cbr\u003e1. In the configuration wizard answer yes to the question \"Do you want to restrict VQL functionality on the server?\"\u003cbr\u003e2. This will add a default allow list to the configuration file.\u003cbr\u003e3. Copy this allow list to your existing server.config.yaml\u003cbr\u003e4. Ensure the \"copy\" function is removed from the default allow list."
}
],
"value": "A valid workaround is to prevent the copy function in the Velociraptor allow list:\n\n1. In the configuration wizard answer yes to the question \"Do you want to restrict VQL functionality on the server?\"\n2. This will add a default allow list to the configuration file.\n3. Copy this allow list to your existing server.config.yaml\n4. Ensure the \"copy\" function is removed from the default allow list."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2023-0242",
"datePublished": "2023-01-18T20:57:30.570Z",
"dateReserved": "2023-01-12T13:35:35.391Z",
"dateUpdated": "2025-04-03T19:51:46.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35632 (GCVE-0-2022-35632)
Vulnerability from nvd – Published: 2022-07-29 17:01 – Updated: 2024-09-16 23:26
VLAI?
Title
XSS in User Interface
Summary
The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.6.5-2 , < 0.6.5-2
(custom)
|
Credits
Issue identified and disclosed by Tim Goddard of CyberCX during a security code review
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.412Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.5-2",
"status": "affected",
"version": "0.6.5-2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"datePublic": "2022-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T17:01:01",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "XSS in User Interface",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-07-26T17:15:00.000Z",
"ID": "CVE-2022-35632",
"STATE": "PUBLIC",
"TITLE": "XSS in User Interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0.6.5-2",
"version_value": "0.6.5-2"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/",
"refsource": "CONFIRM",
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-35632",
"datePublished": "2022-07-29T17:01:01.834546Z",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-09-16T23:26:36.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35631 (GCVE-0-2022-35631)
Vulnerability from nvd – Published: 2022-07-29 17:00 – Updated: 2024-09-16 22:20
VLAI?
Title
Filesystem race on temporary files
Summary
On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2.
Severity ?
No CVSS data available.
CWE
- CWE-377 - Insecure Temporary File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.6.5-2 , < 0.6.5-2
(custom)
|
Credits
Issue identified and disclosed by Tim Goddard of CyberCX during a security code review
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.5-2",
"status": "affected",
"version": "0.6.5-2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"datePublic": "2022-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377 Insecure Temporary File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T17:00:46",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Filesystem race on temporary files",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-07-26T17:15:00.000Z",
"ID": "CVE-2022-35631",
"STATE": "PUBLIC",
"TITLE": "Filesystem race on temporary files"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0.6.5-2",
"version_value": "0.6.5-2"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-377 Insecure Temporary File"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/",
"refsource": "CONFIRM",
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-35631",
"datePublished": "2022-07-29T17:00:46.360561Z",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-09-16T22:20:46.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35630 (GCVE-0-2022-35630)
Vulnerability from nvd – Published: 2022-07-29 17:00 – Updated: 2024-09-17 02:20
VLAI?
Title
Unsafe HTML Injection in Artifact Collection Report
Summary
A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.6.5-2 , < 0.6.5-2
(custom)
|
Credits
Issue identified and disclosed by Tim Goddard of CyberCX during a security code review
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.5-2",
"status": "affected",
"version": "0.6.5-2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"datePublic": "2022-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T17:00:33",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unsafe HTML Injection in Artifact Collection Report",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-07-26T17:15:00.000Z",
"ID": "CVE-2022-35630",
"STATE": "PUBLIC",
"TITLE": "Unsafe HTML Injection in Artifact Collection Report"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0.6.5-2",
"version_value": "0.6.5-2"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/",
"refsource": "CONFIRM",
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-35630",
"datePublished": "2022-07-29T17:00:33.544112Z",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-09-17T02:20:37.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35629 (GCVE-0-2022-35629)
Vulnerability from nvd – Published: 2022-07-29 17:00 – Updated: 2024-09-16 20:26
VLAI?
Title
Velociraptor Client ID Spoofing
Summary
Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2.
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.6.5-2 , < 0.6.5-2
(custom)
|
Credits
Issue identified and disclosed by Tim Goddard of CyberCX during a security code review
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.5-2",
"status": "affected",
"version": "0.6.5-2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"datePublic": "2022-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T17:00:21",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Velociraptor Client ID Spoofing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-07-26T17:15:00.000Z",
"ID": "CVE-2022-35629",
"STATE": "PUBLIC",
"TITLE": "Velociraptor Client ID Spoofing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0.6.5-2",
"version_value": "0.6.5-2"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/",
"refsource": "CONFIRM",
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-35629",
"datePublished": "2022-07-29T17:00:21.251524Z",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-09-16T20:26:44.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3619 (GCVE-0-2021-3619)
Vulnerability from nvd – Published: 2021-08-17 19:07 – Updated: 2024-09-17 03:59
VLAI?
Title
Rapid7 Velociraptor Notebooks Authenticated Persistent XSS
Summary
Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that login rights to Velociraptor is nearly always reserved for trusted and verified users with IT security backgrounds.
Severity ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.5.9 , ≤ 0.5.9
(custom)
|
Credits
Mike Cohen of Rapid7 discovered and fixed this vulnerability as part of routine software maintenance.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor/pull/1118"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.6.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThanOrEqual": "0.5.9",
"status": "affected",
"version": "0.5.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mike Cohen of Rapid7 discovered and fixed this vulnerability as part of routine software maintenance."
}
],
"datePublic": "2021-06-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that login rights to Velociraptor is nearly always reserved for trusted and verified users with IT security backgrounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T19:07:39",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Velocidex/velociraptor/pull/1118"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.6.0"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Rapid7 Velociraptor Notebooks Authenticated Persistent XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2021-06-21T15:21:00.000Z",
"ID": "CVE-2021-3619",
"STATE": "PUBLIC",
"TITLE": "Rapid7 Velociraptor Notebooks Authenticated Persistent XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0.5.9",
"version_value": "0.5.9"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mike Cohen of Rapid7 discovered and fixed this vulnerability as part of routine software maintenance."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that login rights to Velociraptor is nearly always reserved for trusted and verified users with IT security backgrounds."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Velocidex/velociraptor/pull/1118",
"refsource": "MISC",
"url": "https://github.com/Velocidex/velociraptor/pull/1118"
},
{
"name": "https://github.com/Velocidex/velociraptor/releases/tag/v0.6.0",
"refsource": "CONFIRM",
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.6.0"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2021-3619",
"datePublished": "2021-08-17T19:07:39.160750Z",
"dateReserved": "2021-06-24T00:00:00",
"dateUpdated": "2024-09-17T03:59:06.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-14728 (GCVE-0-2025-14728)
Vulnerability from cvelistv5 – Published: 2025-12-29 19:04 – Updated: 2025-12-30 22:26
VLAI?
Title
Rapid7 Velociraptor Directory Traversal Vulnerability
Summary
Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E".
Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files.
Severity ?
6.8 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.75.6
(semver)
|
Credits
We thank @_chebuya for identifying and reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-30T21:54:55.659289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T22:26:47.316Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Velociraptor",
"repo": "https://github.com/Velocidex/velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.75.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis vulnerability only occurs on Velociraptor server running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected.\u003c/p\u003e\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "This vulnerability only occurs on Velociraptor server running on Linux (which is the common and recommended configuration). Velociraptor servers running on Windows are not affected."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "We thank @_chebuya for identifying and reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eRapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a \".\", only encoding the final \".\" AS \"%2E\".\u003c/p\u003e\n\u003cp\u003eAlthough files can be written to incorrect locations, the containing directory must end with \"%2E\". This limits the impact of this vulnerability, and prevents it from overwriting critical files.\u003c/p\u003e"
}
],
"value": "Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a \".\", only encoding the final \".\" AS \"%2E\".\n\n\nAlthough files can be written to incorrect locations, the containing directory must end with \"%2E\". This limits the impact of this vulnerability, and prevents it from overwriting critical files."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T19:04:27.820Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Rapid7 Velociraptor Directory Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2025-14728",
"datePublished": "2025-12-29T19:04:27.820Z",
"dateReserved": "2025-12-15T16:45:47.021Z",
"dateUpdated": "2025-12-30T22:26:47.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6264 (GCVE-0-2025-6264)
Vulnerability from cvelistv5 – Published: 2025-06-20 02:01 – Updated: 2025-11-28 19:10
VLAI?
Title
Velociraptor priviledge escalation via UpdateConfig artifact
Summary
Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.
The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration.
This can lead to arbitrary command execution and endpoint takeover.
To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role).
Severity ?
5.5 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.74.3
(semver)
|
Credits
We thank Christian Fünfhaus from Deutsche Bahn CSIRT for identifying and reporting this issue
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6264",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T19:10:10.273114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T19:10:18.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"url": "https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/"
},
{
"url": "https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "Velociraptor",
"repo": "https://github.com/Velocidex/velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.74.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users who rely on artifacts to prevent dangerous actions from already privileged users."
}
],
"value": "Users who rely on artifacts to prevent dangerous actions from already privileged users."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "We thank Christian F\u00fcnfhaus from Deutsche Bahn CSIRT for identifying and reporting this issue"
}
],
"datePublic": "2025-06-19T00:44:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.\u0026nbsp; To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.\u003cbr\u003e\u003cbr\u003eThe Admin.Client.UpdateClientConfig is an artifact used to update the client\u0027s configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the \"Investigator\" role) to collect it from endpoints and update the configuration. \u003cbr\u003e\u003cbr\u003eThis can lead to arbitrary command execution and endpoint takeover.\u003cbr\u003e\u003cbr\u003eTo successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the \"Investigator\u0027 role).\u0026nbsp;"
}
],
"value": "Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions.\u00a0 To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch.\n\nThe Admin.Client.UpdateClientConfig is an artifact used to update the client\u0027s configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the \"Investigator\" role) to collect it from endpoints and update the configuration. \n\nThis can lead to arbitrary command execution and endpoint takeover.\n\nTo successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the \"Investigator\u0027 role)."
}
],
"impacts": [
{
"capecId": "CAPEC-23",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-23 File Content Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-22T23:23:30.800Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-6264/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Velociraptor priviledge escalation via UpdateConfig artifact",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To better restrict the types of artifacts users can run, the `basic artifacts` mechanism should be used as described\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts\"\u003ehttps://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts\u003c/a\u003e\u003cbr\u003e\u003cbr\u003eTo detect unintended privilege escalations in custom artifacts, users should run the artifact verifier as described here\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts\"\u003ehttps://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts\u003c/a\u003e"
}
],
"value": "To better restrict the types of artifacts users can run, the `basic artifacts` mechanism should be used as described\u00a0 https://docs.velociraptor.app/docs/artifacts/security/#basic-artifacts \n\nTo detect unintended privilege escalations in custom artifacts, users should run the artifact verifier as described here\u00a0 https://docs.velociraptor.app/docs/artifacts/security/#restricting-dangerous-client-artifacts"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2025-6264",
"datePublished": "2025-06-20T02:01:33.993Z",
"dateReserved": "2025-06-19T00:22:46.272Z",
"dateUpdated": "2025-11-28T19:10:18.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-0914 (GCVE-0-2025-0914)
Vulnerability from cvelistv5 – Published: 2025-02-27 16:07 – Updated: 2025-02-27 16:19
VLAI?
Title
Velociraptor Shell Plugin Prevent_execve Bypass
Summary
An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.
Severity ?
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.73.4
(semver)
|
Credits
Darragh O'Reilly, SUSE
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T16:19:47.398915Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T16:19:54.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.73.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Darragh O\u0027Reilly, SUSE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access control issue in the VQL shell feature in Velociraptor Versions \u0026lt; 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.\u003cbr\u003e"
}
],
"value": "An improper access control issue in the VQL shell feature in Velociraptor Versions \u003c 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4."
}
],
"impacts": [
{
"capecId": "CAPEC-176",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-176 Configuration/Environment Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T16:07:49.577Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://docs.velociraptor.app/announcements/advisories/cve-2025-0914/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Velociraptor Shell Plugin Prevent_execve Bypass",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2025-0914",
"datePublished": "2025-02-27T16:07:49.577Z",
"dateReserved": "2025-01-30T22:39:47.257Z",
"dateUpdated": "2025-02-27T16:19:54.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10526 (GCVE-0-2024-10526)
Vulnerability from cvelistv5 – Published: 2024-11-07 10:18 – Updated: 2024-11-07 18:31
VLAI?
Title
Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service
Summary
Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely. This issue is fixed in version 0.73.3.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
<0.73.2
(custom)
|
Credits
Jean-Baptiste Mesnard-Sense from Synackti
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "velociraptor",
"vendor": "rapid7",
"versions": [
{
"lessThan": "0.73.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T18:29:55.331358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T18:31:26.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"status": "affected",
"version": "\u003c0.73.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jean-Baptiste Mesnard-Sense from Synackti"
}
],
"datePublic": "2024-11-05T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor\u0027s files. By modifying Velociraptor\u0027s files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.\u0026nbsp; This issue is fixed in version 0.73.3."
}
],
"value": "Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor\u0027s files. By modifying Velociraptor\u0027s files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely.\u00a0 This issue is fixed in version 0.73.3."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:D/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T10:29:26.459Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://docs.velociraptor.app/announcements/2024-cves/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2024-10526",
"datePublished": "2024-11-07T10:18:05.530Z",
"dateReserved": "2024-10-30T10:22:28.725Z",
"dateUpdated": "2024-11-07T18:31:26.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5950 (GCVE-0-2023-5950)
Vulnerability from cvelistv5 – Published: 2023-11-06 14:30 – Updated: 2024-09-05 13:42
VLAI?
Title
Rapid7 Velociraptor Reflected XSS
Summary
Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).
Severity ?
8.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.7.0-4
(custom)
|
Credits
Mathias Kujala
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:14:25.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.7.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T13:41:29.922872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:42:38.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.7.0-4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mathias Kujala"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user\u0027s web browser.\u0026nbsp;This vulnerability is fixed in\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;version 0.7.0-04 and a\u003c/span\u003e\u0026nbsp;patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user\u0027s web browser.\u00a0This vulnerability is fixed in\u00a0version 0.7.0-04 and a\u00a0patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1).\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T14:30:28.972Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.7.0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Rapid7 Velociraptor Reflected XSS ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2023-5950",
"datePublished": "2023-11-06T14:30:28.972Z",
"dateReserved": "2023-11-03T10:13:59.198Z",
"dateUpdated": "2024-09-05T13:42:38.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2226 (GCVE-0-2023-2226)
Vulnerability from cvelistv5 – Published: 2023-04-21 11:48 – Updated: 2025-02-04 20:33
VLAI?
Title
Velociraptor crashes while parsing some malformed PE or OLE files.
Summary
Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.
For this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.6.8
(semver)
|
Credits
Thanks to b1tg https://github.com/b1tg for reporting these issues and providing samples that trigger the crashes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T20:33:39.813217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T20:33:45.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Velocidex/velociraptor/releases",
"defaultStatus": "unaffected",
"modules": [
"PE Parser",
"OLE parser",
"Authenticode parser"
],
"packageName": "Velociraptor",
"platforms": [
"Windows"
],
"product": "Velociraptor",
"repo": "https://github.com/Velocidex/velociraptor/",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thanks to b1tg https://github.com/b1tg for reporting these issues and providing samples that trigger the crashes"
}
],
"datePublic": "2023-04-21T11:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to insufficient validation in the PE and OLE parsers in Rapid7\u0027s Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eFor this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Due to insufficient validation in the PE and OLE parsers in Rapid7\u0027s Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during parsing of maliciously malformed files.\u00a0\n\nFor this attack to succeed, the attacker needs to be able to introduce malicious files to the system at the same time that Velociraptor attempts to collect any artifacts that attempt to parse PE files, Authenticode signatures, or OLE files. After crashing, the Velociraptor service will restart and it will still be possible to collect other artifacts.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540 Overread Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-21T11:48:46.279Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://github.com/Velocidex/velociraptor"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade the clients to version 0.6.8-2"
}
],
"value": "Upgrade the clients to version 0.6.8-2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Velociraptor crashes while parsing some malformed PE or OLE files.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2023-2226",
"datePublished": "2023-04-21T11:48:46.279Z",
"dateReserved": "2023-04-21T11:40:07.131Z",
"dateUpdated": "2025-02-04T20:33:45.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0290 (GCVE-0-2023-0290)
Vulnerability from cvelistv5 – Published: 2023-01-18 21:10 – Updated: 2025-04-03 19:52
VLAI?
Title
Rapid7 Velociraptor directory traversal in client ID parameter
Summary
Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.
Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to "administrator" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the "investigator" role.
To exploit this vulnerability, the attacker must already have a Velociraptor user account at least "investigator" level, and be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.
This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
Severity ?
4.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.6.7-5
(semver)
|
Credits
Paul Alkemade from Telstra
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T15:57:02.778328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:52:44.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Velocidex/velociraptor/releases",
"defaultStatus": "unaffected",
"modules": [
"CreateCollection API"
],
"packageName": "Velociraptor",
"platforms": [
"Windows",
"Linux",
"MacOS",
"64 bit",
"32 bit"
],
"product": "Velociraptor",
"programFiles": [
"https://github.com/Velocidex/velociraptor/blob/master/services/launcher/launcher.go"
],
"programRoutines": [
{
"name": "ScheduleArtifactCollection()"
}
],
"repo": "https://github.com/Velocidex/velociraptor/",
"vendor": "Rapid7",
"versions": [
{
"changes": [
{
"at": "5",
"status": "unaffected"
}
],
"lessThan": "0.6.7-5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"\u003cbr\u003e"
}
],
"value": "Velociraptor deployment with multiple users at roles of lesser privileges than administrators, but at least the level of \"investigator.\"\n"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Paul Alkemade from Telstra"
}
],
"datePublic": "2023-01-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\u003cbr\u003e\u003cbr\u003eNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\u003cbr\u003e\u003cp\u003eTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u0026nbsp;be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\u003c/p\u003e\u003cp\u003eThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\u003c/p\u003e"
}
],
"value": "Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of \"../clients/server\" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client.\n\nNormally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to \"administrator\" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the \"investigator\" role.\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at least \"investigator\" level, and\u00a0be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI.\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T21:10:42.929Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"url": "https://github.com/Velocidex/velociraptor"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to 0.6.7-5\u003cbr\u003e"
}
],
"value": "Upgrade to 0.6.7-5\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-01-13T05:23:00.000Z",
"value": "Notification of the issue"
},
{
"lang": "en",
"time": "2023-01-17T02:00:00.000Z",
"value": "Release 0.6.7-5 made available on Github"
}
],
"title": "Rapid7 Velociraptor directory traversal in client ID parameter ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2023-0290",
"datePublished": "2023-01-18T21:10:42.929Z",
"dateReserved": "2023-01-13T15:10:30.966Z",
"dateUpdated": "2025-04-03T19:52:44.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0242 (GCVE-0-2023-0242)
Vulnerability from cvelistv5 – Published: 2023-01-18 20:57 – Updated: 2025-04-03 19:51
VLAI?
Title
Insufficient permission check in the VQL copy() function
Summary
Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.
The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor "investigator" role) to overwrite files on the server, including Velociraptor configuration files.
To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least "analyst") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).
This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy().
This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0 , < 0.6.7-5
(semver)
|
Credits
Paul Alkemade from Telstra
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.109Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T15:58:54.468796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:51:46.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/Velocidex/velociraptor/releases",
"defaultStatus": "unaffected",
"modules": [
"VQL copy() function"
],
"packageName": "Velociraptor",
"platforms": [
"Linux",
"Windows",
"MacOS",
"64 bit",
"32 bit"
],
"product": "Velociraptor",
"programFiles": [
"https://github.com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go"
],
"programRoutines": [
{
"name": "copy()"
}
],
"repo": "https://github.com/Velocidex/velociraptor/",
"vendor": "Rapid7",
"versions": [
{
"changes": [
{
"at": "5",
"status": "unaffected"
}
],
"lessThan": "0.6.7-5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Velociraptor deployment with multiple users at lower roles than administrators, such as \"investigator\" and above."
}
],
"value": "Velociraptor deployment with multiple users at lower roles than administrators, such as \"investigator\" and above."
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Paul Alkemade from Telstra"
}
],
"datePublic": "2023-01-18T02:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.\u003cbr\u003e\u003cbr\u003eThe VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor \"investigator\" role) to overwrite files on the server, including Velociraptor configuration files.\u003cbr\u003e\u003cbr\u003eTo exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least \"analyst\") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).\u003cbr\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go\"\u003ehttps://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go\u003c/a\u003e\u003c/tt\u003e and program routines \u003ctt\u003ecopy()\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\u003c/p\u003e"
}
],
"value": "Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server.\n\nThe VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor \"investigator\" role) to overwrite files on the server, including Velociraptor configuration files.\n\nTo exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least \"analyst\") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI).\nThis vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy().\n\nThis issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-75",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-75 Manipulating Writeable Configuration Files"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-18T20:57:30.570Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.velociraptor.app/announcements/2023-cves/#:~:text=to%20upgrade%20clients.-,CVE%2D2023%2D0242,-Insufficient%20Permission%20Check"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to 0.6.7-5"
}
],
"value": "Upgrade to 0.6.7-5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-01-12T07:00:00.000Z",
"value": "Notification of the issue"
},
{
"lang": "en",
"time": "2023-01-17T02:00:00.000Z",
"value": "Release 0.6.7-5 made available on Github"
}
],
"title": "Insufficient permission check in the VQL copy() function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A valid workaround is to prevent the copy function in the Velociraptor allow list:\u003cbr\u003e\u003cbr\u003e1. In the configuration wizard answer yes to the question \"Do you want to restrict VQL functionality on the server?\"\u003cbr\u003e2. This will add a default allow list to the configuration file.\u003cbr\u003e3. Copy this allow list to your existing server.config.yaml\u003cbr\u003e4. Ensure the \"copy\" function is removed from the default allow list."
}
],
"value": "A valid workaround is to prevent the copy function in the Velociraptor allow list:\n\n1. In the configuration wizard answer yes to the question \"Do you want to restrict VQL functionality on the server?\"\n2. This will add a default allow list to the configuration file.\n3. Copy this allow list to your existing server.config.yaml\n4. Ensure the \"copy\" function is removed from the default allow list."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2023-0242",
"datePublished": "2023-01-18T20:57:30.570Z",
"dateReserved": "2023-01-12T13:35:35.391Z",
"dateUpdated": "2025-04-03T19:51:46.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35632 (GCVE-0-2022-35632)
Vulnerability from cvelistv5 – Published: 2022-07-29 17:01 – Updated: 2024-09-16 23:26
VLAI?
Title
XSS in User Interface
Summary
The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.6.5-2 , < 0.6.5-2
(custom)
|
Credits
Issue identified and disclosed by Tim Goddard of CyberCX during a security code review
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.412Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.5-2",
"status": "affected",
"version": "0.6.5-2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"datePublic": "2022-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T17:01:01",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "XSS in User Interface",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-07-26T17:15:00.000Z",
"ID": "CVE-2022-35632",
"STATE": "PUBLIC",
"TITLE": "XSS in User Interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0.6.5-2",
"version_value": "0.6.5-2"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not properly sanitized and can lead to cross-site scripting (XSS). This issue was resolved in Velociraptor 0.6.5-2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/",
"refsource": "CONFIRM",
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-35632",
"datePublished": "2022-07-29T17:01:01.834546Z",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-09-16T23:26:36.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35631 (GCVE-0-2022-35631)
Vulnerability from cvelistv5 – Published: 2022-07-29 17:00 – Updated: 2024-09-16 22:20
VLAI?
Title
Filesystem race on temporary files
Summary
On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2.
Severity ?
No CVSS data available.
CWE
- CWE-377 - Insecure Temporary File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.6.5-2 , < 0.6.5-2
(custom)
|
Credits
Issue identified and disclosed by Tim Goddard of CyberCX during a security code review
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.422Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.5-2",
"status": "affected",
"version": "0.6.5-2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"datePublic": "2022-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377 Insecure Temporary File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T17:00:46",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Filesystem race on temporary files",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-07-26T17:15:00.000Z",
"ID": "CVE-2022-35631",
"STATE": "PUBLIC",
"TITLE": "Filesystem race on temporary files"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0.6.5-2",
"version_value": "0.6.5-2"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-377 Insecure Temporary File"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/",
"refsource": "CONFIRM",
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-35631",
"datePublished": "2022-07-29T17:00:46.360561Z",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-09-16T22:20:46.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35630 (GCVE-0-2022-35630)
Vulnerability from cvelistv5 – Published: 2022-07-29 17:00 – Updated: 2024-09-17 02:20
VLAI?
Title
Unsafe HTML Injection in Artifact Collection Report
Summary
A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.6.5-2 , < 0.6.5-2
(custom)
|
Credits
Issue identified and disclosed by Tim Goddard of CyberCX during a security code review
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.5-2",
"status": "affected",
"version": "0.6.5-2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"datePublic": "2022-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T17:00:33",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unsafe HTML Injection in Artifact Collection Report",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-07-26T17:15:00.000Z",
"ID": "CVE-2022-35630",
"STATE": "PUBLIC",
"TITLE": "Unsafe HTML Injection in Artifact Collection Report"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0.6.5-2",
"version_value": "0.6.5-2"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/",
"refsource": "CONFIRM",
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-35630",
"datePublished": "2022-07-29T17:00:33.544112Z",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-09-17T02:20:37.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35629 (GCVE-0-2022-35629)
Vulnerability from cvelistv5 – Published: 2022-07-29 17:00 – Updated: 2024-09-16 20:26
VLAI?
Title
Velociraptor Client ID Spoofing
Summary
Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2.
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.6.5-2 , < 0.6.5-2
(custom)
|
Credits
Issue identified and disclosed by Tim Goddard of CyberCX during a security code review
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:36:44.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "0.6.5-2",
"status": "affected",
"version": "0.6.5-2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"datePublic": "2022-07-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T17:00:21",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Velociraptor Client ID Spoofing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2022-07-26T17:15:00.000Z",
"ID": "CVE-2022-35629",
"STATE": "PUBLIC",
"TITLE": "Velociraptor Client ID Spoofing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0.6.5-2",
"version_value": "0.6.5-2"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue identified and disclosed by Tim Goddard of CyberCX during a security code review"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/",
"refsource": "CONFIRM",
"url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2022-35629",
"datePublished": "2022-07-29T17:00:21.251524Z",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-09-16T20:26:44.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3619 (GCVE-0-2021-3619)
Vulnerability from cvelistv5 – Published: 2021-08-17 19:07 – Updated: 2024-09-17 03:59
VLAI?
Title
Rapid7 Velociraptor Notebooks Authenticated Persistent XSS
Summary
Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that login rights to Velociraptor is nearly always reserved for trusted and verified users with IT security backgrounds.
Severity ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Rapid7 | Velociraptor |
Affected:
0.5.9 , ≤ 0.5.9
(custom)
|
Credits
Mike Cohen of Rapid7 discovered and fixed this vulnerability as part of routine software maintenance.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor/pull/1118"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.6.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Velociraptor",
"vendor": "Rapid7",
"versions": [
{
"lessThanOrEqual": "0.5.9",
"status": "affected",
"version": "0.5.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mike Cohen of Rapid7 discovered and fixed this vulnerability as part of routine software maintenance."
}
],
"datePublic": "2021-06-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that login rights to Velociraptor is nearly always reserved for trusted and verified users with IT security backgrounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T19:07:39",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Velocidex/velociraptor/pull/1118"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.6.0"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Rapid7 Velociraptor Notebooks Authenticated Persistent XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2021-06-21T15:21:00.000Z",
"ID": "CVE-2021-3619",
"STATE": "PUBLIC",
"TITLE": "Rapid7 Velociraptor Notebooks Authenticated Persistent XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Velociraptor",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0.5.9",
"version_value": "0.5.9"
}
]
}
}
]
},
"vendor_name": "Rapid7"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mike Cohen of Rapid7 discovered and fixed this vulnerability as part of routine software maintenance."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse MIME filetype sniffing to embed executable code on a malicious upload. This issue was fixed in version 0.6.0. Note that login rights to Velociraptor is nearly always reserved for trusted and verified users with IT security backgrounds."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Velocidex/velociraptor/pull/1118",
"refsource": "MISC",
"url": "https://github.com/Velocidex/velociraptor/pull/1118"
},
{
"name": "https://github.com/Velocidex/velociraptor/releases/tag/v0.6.0",
"refsource": "CONFIRM",
"url": "https://github.com/Velocidex/velociraptor/releases/tag/v0.6.0"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2021-3619",
"datePublished": "2021-08-17T19:07:39.160750Z",
"dateReserved": "2021-06-24T00:00:00",
"dateUpdated": "2024-09-17T03:59:06.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}