CVE-2021-4016: 
Rapid7 Insight Cloud Agent vulnerability analysis and mitigation

Rapid7 Insight Agent versions prior to 3.1.3 contained an improper access control vulnerability (CVE-2021-4016) that was discovered and disclosed in January 2022. The vulnerability affected the access control mechanism of the snapshot directory in the Insight Agent software (NVD, Rapid7 Release Notes).

The vulnerability stems from improper access control implementation whereby non-system users could access the Insight Agent snapshot directory. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) by NVD with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating local access requirements and low severity (NVD).

If exploited, the vulnerability allows attackers to access, read, and copy files from the snapshot directory, including sensitive files such as assetinfo.json and fileinfo.json, potentially leading to a loss of confidentiality (NVD, Rapid7 DB).

The vulnerability was fixed in Rapid7 Insight Agent version 3.1.3. Users are advised to upgrade to this version or later to remediate the vulnerability. The fix was released as part of a security update that also included upgrades to Python 3.9.5 and OpenSSL 1.1.1L (Rapid7 Release Notes).