ManageEngine Information Disclosure in Multiple Products

CVE-2023-6105

5.5MEDIUM

Key Information

Vendor: ManageEngine
Status: Service Desk Plus; Asset Explorer; Access Manager Plus
Vendor: CVE Published:; 15 November 2023

Summary

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

Affected Version(s)

Service Desk Plus < 14304

Asset Explorer < 7004

Access Manager Plus < 14304

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Nov 15, 2023
Vulnerability Reserved.
Nov 13, 2023

Collectors

NVD DatabaseMitre Database