8.8

CVE-2019-19774

Exploit

EPSS 25.58%
Veröffentlicht 13.12.2019 18:15:11
Zuletzt bearbeitet 21.11.2024 04:35:21
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 0 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Eventlog Analyzer Version >= 10.0 < 12.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	25.58%	0.96

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

http://packetstormsecurity.com/files/156485/ManageEngine-EventLog-Analyzer-10.0-Information-Disclosure.html

Third Party Advisory

Exploit

VDB Entry

https://gist.github.com/scottgoodwin90/19ccecdc9f5733c0a9381765cfc7fe39

Third Party Advisory

https://www.manageengine.com/products/eventlog/features-new.html#release

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-19774

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-19774

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-19774

EUVD