Mar 27, 20246.6.244

Fixed

  • We fixed a defect that caused ColdFusion fingerprinting from the same uninstaller key to continue even after a successful fingerprint. This was due to the uninstaller key not being retracted.
  • We fixed a false positive in the CIS benchmark for Apache HTTP Server 2.4 that would occur when apache2ctl was not installed.

Security Update

  • We fixed CVE-2024-2745, an information exposure vulnerability affecting the Security Console’s maintenance mode login page. This issue caused credentials to display in the address bar if a login was attempted before the page had finished loading completely. This could have allowed attackers to obtain sensitive data such as usernames, passwords, tokens (authX), and database details. This issue affects all Security Console versions up to and including 6.6.243. If your Security Console currently falls on or within this affected version range, ensure that you update your Security Console to the latest version. Special thanks to Sreenath Raghunath (Fireware LLC UAE, OMAN) for reporting this issue to Rapid7.

Other Changes

  • Version 1.3.5 of the Scan Assistant is now available. This version of the Scan Assistant resolves the known issue with version 1.2.5 and 1.2.7 (initially introduced in product version 6.6.224) which caused auto-updates to fail and left the service nonfunctional for Windows.

    Now, auto-updates no longer fail and are enabled for the Scan Assistant installer. However, any assets with a corrupted or broken Scan Assistant installation as a result of the previous issue will require the Scan Assistant to be reinstalled manually. This change only ensures that the auto-update process completes successfully, or in the case of an error, won’t leave the Scan Assistant in a nonfunctional state.

    Version 1.3.3 of the Scan Assistant was not affected by the defect.

    Additionally, the Scan Assistant is now built using Golang version 1.21.6, remediating vulnerabilities in earlier versions of Go.

    • Note: This change is being re-released after being previously reverted in product version 6.6.228.