|
|||
Rule General Information |
---|
Release Date: | 2018-10-15 | |
Rule Name: | Zoho ManageEngine OpManager oputilsServlet Authentication Bypass Vulnerability -1 (CVE-2018-17283) | |
Severity: | ||
CVE ID: | ||
Rule Protection Details |
---|
Description: | Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. | |
Impact: | This issue affects an unknown function of the file /oputilsServlet. The manipulation of the argument action with the input value getAPIKey leads to a privilege escalation vulnerability. | |
Affected OS: | Network Device, Solaris, FreeBSD, Windows, Mac OS, iOS, Other Unix, Linux, Others, Android | |
Reference: | https://vuldb.com/?id.124337 https://github.com/x-f1v3/ForCve/issues/4 https://www.manageengine.com/network-monitoring/help/read-me.html |
|
Solutions |
---|
Upgrading to version 12.3 Build 123196 eliminates this vulnerability. |