CVE-2024-6504: 
Rapid7 Vulnerability Management vulnerability analysis and mitigation

Rapid7 InsightVM Console versions below 6.6.260 suffer from a protection mechanism failure vulnerability (CVE-2024-6504). The vulnerability was discovered and disclosed on July 18, 2024, affecting the InsightVM Console security product. This security issue impacts versions of the InsightVM Console prior to version 6.6.261 (Vendor Advisory).

The vulnerability is classified as a protection mechanism failure where an attacker with network access to the InsightVM Console can cause it to overload or crash. The attack vector involves sending repeated invalid REST requests in a short timeframe to the Console's port 443, which causes the console to enter an exception handling logging loop, ultimately exhausting the CPU. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability impacts system availability by allowing attackers to cause system overload or crashes. However, there is no indication that an attacker can use this method to escalate privileges, acquire unauthorized access to data, or gain control of protected resources (Vendor Advisory).

The vulnerability has been fixed in InsightVM Console version 6.6.261. Organizations using affected versions should upgrade to the latest version to mitigate this security issue (Vendor Advisory).