CVE-2023-2291 — Hard-coded Credentials in Manageengine Access Manager Plus

CWE-798 — Hard-coded Credentials CWE-667 — Improper Locking CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 94.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Access Manager Plus

Timeline

PublishedApr 26

Description

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_access_manager_plus4.3

🔴Vulnerability Details

GHSA

GHSA-q9gm-gx3j-8hmm: Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and Mana↗2023-04-26

▶

CVEList

CVE-2023-2291: Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and Mana↗2023-04-26

▶

📋Vendor Advisories

CISA

Intel Ethernet Diagnostics Driver for Windows Denial-of-Service Vulnerability↗2023-02-10

▶