CVE-2021-20110Integer Overflow or Wraparound in Manageengine Assetexplorer

CWE-190Integer Overflow or WraparoundCWE-295Improper Certificate Validation4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
1.9%
top 16.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Zohocorp Manageengine Assetexplorer
Timeline
PublishedJul 19
Latest updateMay 24

Description

Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In httphandler.cpp, the agent reaching out over HTTP is vulnerable to an Integer Overflow, which can be turned into a Heap Overflow allowin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-jj4p-9287-5h8h: Due to Manage Engine Asset Explorer Agent 12022-05-24
CVEList
CVE-2021-20110: Due to Manage Engine Asset Explorer Agent 12021-07-19
OSV
CVE-2021-20110: Due to Manage Engine Asset Explorer Agent 12021-07-19
CVE-2021-20110 — Integer Overflow or Wraparound | cvebase