ManageEngine Information Disclosure in Multiple Products

CVE-2023-6105

5.5MEDIUM

Key Information

Status
Service Desk Plus
Asset Explorer
Access Manager Plus
Vendor
CVE Published:
15 November 2023

Summary

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

Affected Version(s)

Service Desk Plus < 14304

Asset Explorer < 7004

Access Manager Plus < 14304

Refferences

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.