Abstract Advisory Information
Security issue affecting the product DataSecurity Plus.
DataSecurity Plus is a software that helps company to address enterprise’s data security needs regarding Data Discovery, File Server Auditing and Storage Analysis.
2 services exposed by the software allows a basic user (“Operator” access level) to:
– Use service as a relay to perform a discovery operation (machine availability and open ports state) targeting machines located in the same internal network.
– Access the configuration file of the mail server (excepting the password).
Authors: Dominique Righetto
Vendor: Manage Engine
Name: DataSecurity Plus
Version: 5.0.1 Build 5011 and previous versions
Common Vulnerability Scoring System
5.0.1 Build 5012
Vulnerability Disclosure Timeline
- 09/07/2019: vulnerability discovered.
- 10/07/2019: First Contact to Vendor
- 06/08/2019: Request for updates, no answers
- 26/08/2019: Request for updates, no answers
- 04/09/2019: Request for updates, no answers
- 12/09/2019: Vendor confirmed the fix creation
- 26/09/2019: Request for updates, no answers
- 01/10/2019: Request for updates, no answers
- 03/10/2019: Fix released by vendor (5012)
- 03/10/2019: Mitre CVE-ID request CVE-2019-17112.
- 07/10/2019: Public disclosure