PT-2023-18769 · Manageengine · Manageengine Password Manager Pro+2
Published
2023-04-26
·
Updated
2023-06-28
·
CVE-2023-2291
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ManageEngine Access Manager Plus (AMP) build 4309
ManageEngine Password Manager Pro (affected versions not specified)
ManageEngine PAM360 (affected versions not specified)
Description
Static credentials exist in the PostgreSQL data used in the affected products. These credentials could allow a malicious actor to modify configuration data, escalating their permissions from a low-privileged user to an Administrative user.
Recommendations
For ManageEngine Access Manager Plus (AMP) build 4309, update to a version that does not include static credentials in the PostgreSQL data.
For ManageEngine Password Manager Pro, at the moment, there is no information about a newer version that contains a fix for this vulnerability.
For ManageEngine PAM360, at the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Access Manager Plus
Manageengine Pam360
Manageengine Password Manager Pro