8.8

CVE-2019-19774

Exploit

EPSS 12.36%
Published 13.12.2019 18:15:11
Last modified 21.11.2024 04:35:21
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.

Affected products Warnungen 0 Metrics 3 CWE 0 References 6

Data is provided by the National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Eventlog Analyzer Version >= 10.0 < 12.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	12.36%	0.937

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

http://packetstormsecurity.com/files/156485/ManageEngine-EventLog-Analyzer-10.0-Information-Disclosure.html

Third Party Advisory

Exploit

VDB Entry

https://gist.github.com/scottgoodwin90/19ccecdc9f5733c0a9381765cfc7fe39

Third Party Advisory

https://www.manageengine.com/products/eventlog/features-new.html#release

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-19774

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-19774

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-19774

EUVD