CVE-2023-6105 — Sensitive Information Exposure in Access Manager Plus

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 77.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Manageengine Access Manager Plus Manageengine Asset Explorer Manageengine Service Desk Plus +39 more

Timeline

PublishedNov 15

Description

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages42 packages

▶CVEListV5manageengine/access_manager_plus< 14304

▶NVDzohocorp/manageengine_remote_access_plus< 11.2.2328.01

▶NVDzohocorp/manageengine_access_manager_plus< 4.3+1

▶NVDzohocorp/manageengine_vulnerability_manager_plus< 11.2.2328.01

▶CVEListV5manageengine/asset_explorer< 7004

🔴Vulnerability Details

GHSA

GHSA-2jvx-3h5f-w2j7: An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed↗2023-11-15

▶

CVEList

ManageEngine Information Disclosure in Multiple Products↗2023-11-15

▶