CVE-2022-36923

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine OpManager versions before 2022-07-27 through 2022-07-28 Zoho ManageEngine OpManager Plus versions before 2022-07-27 through 2022-07-28 Zoho ManageEngine OpManager MSP versions before 2022-07-27 through 2022-07-28 Zoho ManageEngine Network Configuration Manager versions before 2022-07-27 through 2022-07-28 Zoho ManageEngine NetFlow Analyzer versions before 2022-07-27 through 2022-07-28 Zoho ManageEngine Firewall Analyzer versions before 2022-07-27 through 2022-07-28 Zoho ManageEngine OpUtils versions before 2022-07-27 through 2022-07-28

Description The issue allows unauthenticated attackers to obtain a user's API key, and then access external APIs. This is achieved through an authentication bypass vulnerability in the getUserAPIKey function.

Recommendations For Zoho ManageEngine OpManager versions before 2022-07-27 through 2022-07-28, update to a version released after 2022-07-28. For Zoho ManageEngine OpManager Plus versions before 2022-07-27 through 2022-07-28, update to a version released after 2022-07-28. For Zoho ManageEngine OpManager MSP versions before 2022-07-27 through 2022-07-28, update to a version released after 2022-07-28. For Zoho ManageEngine Network Configuration Manager versions before 2022-07-27 through 2022-07-28, update to a version released after 2022-07-28. For Zoho ManageEngine NetFlow Analyzer versions before 2022-07-27 through 2022-07-28, update to a version released after 2022-07-28. For Zoho ManageEngine Firewall Analyzer versions before 2022-07-27 through 2022-07-28, update to a version released after 2022-07-28. For Zoho ManageEngine OpUtils versions before 2022-07-27 through 2022-07-28, update to a version released after 2022-07-28. As a temporary workaround, consider disabling the getUserAPIKey function until a patch is available.