PT-2020-10167 · Postgresql+1 · Postgresql+1
Ammarit Thongthua
+2
·
Published
2020-01-10
·
Updated
2023-02-01
·
CVE-2019-19475
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
ManageEngine Applications Manager version 14 with Build 14360
Description
An issue was discovered in the integrated PostgreSQL component of ManageEngine Applications Manager, where a lack of file permission security allows malicious users in the "Authenticated Users" group to exploit privilege escalation. This can lead to modification of the PostgreSQL configuration, enabling the execution of arbitrary commands to gain full system privilege user access and rights over the system.
Recommendations
For ManageEngine Applications Manager version 14 with Build 14360, consider restricting access to the integrated PostgreSQL component to prevent exploitation until a fix is available. As a temporary workaround, review and secure file permissions to prevent unauthorized modifications to the PostgreSQL configuration.
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Applications Manager
Postgresql