|
|
|||
| Rule General Information |
|---|
| Release Date: | 2018-10-15 | |
| Rule Name: | Zoho ManageEngine OpManager oputilsServlet Authentication Bypass Vulnerability(CVE-2018-17283) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. | |
| Impact: | This issue affects an unknown function of the file /oputilsServlet. The manipulation of the argument action with the input value getAPIKey leads to a privilege escalation vulnerability. | |
| Affected OS: | Network Device, Solaris, FreeBSD, Windows, Mac OS, iOS, Other Unix, Linux, Others, Android | |
| Reference: | https://vuldb.com/?id.124337 https://github.com/x-f1v3/ForCve/issues/4 https://www.manageengine.com/network-monitoring/help/read-me.html |
|
| Solutions |
|---|
| Upgrading to version 12.3 Build 123196 eliminates this vulnerability. |