Headline
CVE-2022-35403: ManageEngine security advisory
Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.)
Local file disclosure vulnerability
CVE ID: CVE-2022-35403
Product Name
Severity
Affected Version(s)
Fixed Version
Fixed On
ServiceDesk Plus
High
13007 and below
13008
July 7, 2022
ServiceDesk Plus MSP
High
10605 and below
10606
July 11, 2022
SupportCenter Plus
High
11021 and below
11022
July 11, 2022
AssetExplorer
Medium
6976 and below
6977
July 7, 2022
Details
This file disclosure vulnerability allows non-login users to download local files from the ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus server machines by sending a crafted email for ticket creation. The same vulnerability affects AssetExplorer too which falls under medium severity since it needs authentication to exploit.
We fixed this issue by adding additional checks to process the email content to avoid the local file disclosure vulnerability in ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus and AssetExplorer.
Impact
This vulnerability allows non-login users to download local files from the server machine.
Steps to upgrade
- Download the latest upgrade pack from the following links for the respective product:
- ServiceDesk Plus - https://www.manageengine.com/products/service-desk/on-premises/migration-sequence.html
- ServiceDesk Plus MSP - https://www.manageengine.com/products/service-desk-msp/service-packs-hotfix.html
- SupportCenter Plus - https://www.manageengine.com/products/support-center/service-packs.html
- AssetExplorer - https://www.manageengine.com/products/asset-explorer/service-packs.html
- Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.
Please follow the forum post for the respective products as mentioned below for any further updates regarding this vulnerability:
ServiceDesk Plus | ServiceDesk Plus MSP | SupportCenter Plus | AssetExplorer
Acknowledgements
This issue was reported by our internal security team on our bug bounty portal.
If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.
ServiceDesk Plus: [email protected]
ServiceDesk Plus MSP [email protected]
SupportCenter Plus: [email protected]
AssetExplorer: [email protected]
Related news
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.