CVE-2021-20147

CWE-2033 documents3 sources

Severity

5.3MEDIUM

EPSS

18.0%

top 4.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Adselfservice Plus

Timeline

PublishedJan 3

Latest updateJan 4

Description

ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5manageengine_adselfservice_plus< 6116

▶NVDzohocorp/manageengine_adselfservice_plus6.0+1

🔴Vulnerability Details

GHSA

GHSA-j385-q64g-xhxj: ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI↗2022-01-04

▶

CVEList

CVE-2021-20147: ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI↗2022-01-03

▶