CVE-2017-5229 Rapid7 CVE debrief

Who should care

Teams running Metasploit consoles, red-team infrastructure, shared lab systems, or any environment where Meterpreter payloads may be processed by a long-lived Metasploit instance. Console operators should care because the flaw can affect the host filesystem, not just the Meterpreter session.

Technical summary

The issue is a directory traversal vulnerability affecting the Meterpreter extapi Clipboard.parse_dump() function. According to the CVE description, a specially crafted Meterpreter build can direct writes outside the intended path and place data in an arbitrary directory on the Metasploit console host, limited by the permissions of the Metasploit process. NVD classifies the weakness as CWE-22 and rates the issue CVSS 3.0 7.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L). The supplied sources indicate affected Metasploit versions prior to the vendor-fixed build referenced in the advisory, while NVD’s current CPE range maps vulnerability through 4.13.19.

Defensive priority

High. This is not a remote code execution claim, but it can still affect integrity and confidentiality on the console host. Prioritize if you run exposed, shared, or automation-driven Metasploit infrastructure that ingests Meterpreter artifacts.

Recommended defensive actions

• Upgrade Rapid7 Metasploit to the fixed release referenced in the vendor advisory and ensure all console hosts are on a patched build.
• Restrict which Meterpreter payloads and artifacts are accepted by operational tooling; treat unexpected or externally supplied builds as untrusted input.
• Run Metasploit consoles with the least-privilege account possible and isolate them from sensitive filesystem locations.
• Review filesystem permissions and monitoring around the Metasploit working directories to detect unexpected writes outside expected paths.
• If you cannot patch immediately, limit access to the console host and reduce exposure to untrusted sessions or payload handling workflows.

Evidence notes

Primary evidence comes from the CVE record and NVD entry. The CVE description states all editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in Meterpreter extapi Clipboard.parse_dump(). NVD classifies it as CWE-22 and lists a vulnerable cpe range ending at 4.13.19. The vendor advisory link in the supplied sources provides the mitigation context, while the CVE record and NVD detail page are the authoritative references used here.

Official resources