Lucene search

[email protected]NVD:CVE-2021-20148

HistoryJan 03, 2022 - 10:15 p.m.

CVE-2021-20148

2022-01-0322:15:08

CWE-552

[email protected]

web.nvd.nist.gov

manageengine

adselfservice plus

password policy

predictable filenames

unauthorized access

windows domains

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

44.5%

JSON

ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain.

Affected configurations

Nvd

Node

zohocorpmanageengine_adselfservice_plusRange≤6.0

zohocorpmanageengine_adselfservice_plusMatch6.1-

zohocorpmanageengine_adselfservice_plusMatch6.16100

zohocorpmanageengine_adselfservice_plusMatch6.16101

zohocorpmanageengine_adselfservice_plusMatch6.16102

zohocorpmanageengine_adselfservice_plusMatch6.16103

zohocorpmanageengine_adselfservice_plusMatch6.16104

zohocorpmanageengine_adselfservice_plusMatch6.16105

zohocorpmanageengine_adselfservice_plusMatch6.16106

zohocorpmanageengine_adselfservice_plusMatch6.16107

zohocorpmanageengine_adselfservice_plusMatch6.16108

zohocorpmanageengine_adselfservice_plusMatch6.16109

zohocorpmanageengine_adselfservice_plusMatch6.16110

zohocorpmanageengine_adselfservice_plusMatch6.16111

zohocorpmanageengine_adselfservice_plusMatch6.16112

zohocorpmanageengine_adselfservice_plusMatch6.16113

zohocorpmanageengine_adselfservice_plusMatch6.16114

zohocorpmanageengine_adselfservice_plusMatch6.16115

VendorProductVersionCPE
zohocorpmanageengine_adselfservice_plus*cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:-:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6100:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6101:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6102:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6103:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6104:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6105:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6106:*:*:*:*:*:*
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6107:*:*:*:*:*:*

Vendor	Product	Version	CPE
zohocorp	manageengine_adselfservice_plus	*	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus::::::::
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:-::::::
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6100::::::
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6101::::::
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6102::::::
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6103::::::
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6104::::::
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6105::::::
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6106::::::
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6107::::::

Rows per page:

1-10 of 181

References

www.tenable.com/security/research/tra-2021-52

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

44.5%

JSON

Related for NVD:CVE-2021-20148

cve1 cnvd1 cvelist1 prion1