ManageEngine Information Disclosure in Multiple Products
CVE-2023-6105
5.5MEDIUM
Key Information
- Vendor
- ManageEngine
- Status
- Service Desk Plus
- Asset Explorer
- Access Manager Plus
- Vendor
- CVE Published:
- 15 November 2023
Summary
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.
Affected Version(s)
Service Desk Plus < 14304
Asset Explorer < 7004
Access Manager Plus < 14304
Refferences
CVSS V3.1
Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database