CVE-2022-29081

Опубликовано: 28 апр. 2022

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Высокий

Описание

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

Ссылки

https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.html
Vendor Advisory
https://www.tenable.com/security/research/tra-2022-14
Exploit
Third Party Advisory
https://www.manageengine.com/privileged-session-management/advisory/cve-2022-29081.html
Vendor Advisory
https://www.tenable.com/security/research/tra-2022-14
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.0:build4000:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.1:build4100:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.1:build4101:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.2:build4200:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.2:build4201:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.2:build4202:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.2:build4203:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4300:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4301:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:4.0:build4001:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:4.0:build4002:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:4.1:build4100:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:4.1:build4101:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:4.5:build4500:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:4.5:build4501:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.0:build5000:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.0:build5001:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.0:build5002:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.0:build5003:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.0:build5004:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.1:build5100:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.2:build5200:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.3:build5300:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.3:build5301:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.3:build5302:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_pam360:5.4:build5400:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10103:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10104:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.2:build10200:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.3:build10300:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.3:build10301:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.3:build10302:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.4:build10400:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.4:build10401:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.4:build10402:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:11.1:11104:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:11.1:build_11101:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:11.1:build_11102:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:11.1:build_11103:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:11.2:build11200:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:11.2:build11201:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:11.3:build11300:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:11.3:build11301:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:12.0:build12000:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:12.0:build12001:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:12.0:build12002:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:12.0:build12003:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:12.0:build12004:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:12.0:build12005:*:*:*:*:*:*

cpe:2.3:a:zohocorp:manageengine_password_manager_pro:12.0:build12006:*:*:*:*:*:*

EPSS

Процентиль: 99%

0.81761

Высокий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-59xq-494m-chp8

CVSS3: 9.8

github

почти 4 года назад

BDU:2025-14638

CVSS3: 9.8

fstec

почти 4 года назад

Уязвимость программного решения для управления привилегированными сеансами Zoho ManageEngine Access Manager Plus, программного решения для контроля, управления и аудита Zoho ManageEngine Password Manager Pro и программного обеспечения для управления привилегированным доступом ManageEngine Privileged Access Manager 360 (PAM360), связанная с неверным ограничением имени пути к каталогу, позволяющая нарушителю обойти ограничения безопасности и получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 99%

0.81761

Высокий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-22