AppSpider Pro Release Notes / Sep 15, 2020

Sep 15, 20207.2.126

Improved

  • We upgraded the installed Selenium ChromeDriver to version 84.0.4147.30.
  • We upgraded the Lodash library to the most recent version.
  • We updated the Swagger parser.
  • We updated the FrontPage Server Extension vulnerability tests.

Fixed

  • We fixed a false positive with the SSL Strength attack module that could incorrectly flag SSL v2/v3 as enabled.
  • We fixed a false positive affecting the SSL Certificate Expiration Date Check attack type.
  • Login macro failures caused by network errors will now cause a timeout exit after 1 minute.
  • We fixed a login macro failure.
  • We fixed a false positive affecting the Server Side Request Forgery attack module.
  • We fixed the Swagger parser to properly de-escape references.
  • We updated the license error message to notify the user about the missing route certificate.
  • We fixed CVE-2020-7358, an arbitrary code execution vulnerability affecting the AppSpider engine installer. While any exploitation of this vulnerability would have required an attacker to already have full access to the asset on which the installer would be executed, Rapid7 recommends deleting any copy of the AppSpider engine installer that you may have retained prior to this fixed edition. Thanks to Mishra Dhiraj for reporting this issue to Rapid7.