CVE-2022-24446

CVE-2022-24446

by mathildeexlm

Abstract Advisory Information

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user can see all SSH servers (and user information) even if no SSH server or user is associated with them.

Authors: Dominique Righetto from Excellium-services company

Version affected

Name: Zoho ManageEngine Key Manager
Versions: 6.1.6

Common Vulnerability Scoring System

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Patches

version 6200

References

https://www.manageengine.com/key-manager/download.html

Vulnerability Disclosure Timeline

  • 09/01/2022: Vulnerability discovery
  • 10/01/2022: Vulnerability Report to CERT-XLM
  • 11/01/2022: Vulnerability Report to Vendor through bug bounty platform
  • 11/01/2022: Acknowledge from vendor
  • 31/01/2022: Vulnerability fixed
  • 04/02/2022: Request CVE IDs to Mitre
  • 04/02/2022: CVE IDs assigned CVE-2022-24446
  • 21/02/2022: Vulnerability disclosure

 

Find more vulnerabilities in our Security Advisory section.

Top