Headline
CVE-2019-19475: Security Updates - CVE Details - CVE-2019-19475
An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.
Privilege escalation exploit on PostgreSQL insecure file permission
Vulnerability Details
Impact
CVSS V3 rating: 8.8 HIGH
Fixed
24 November 2019
Affected Builds
Till Build 14420
Fixed in
Build 14430
Overview
Privilege escalation exploit on PostgreSQL insecure file permission.
Recommended Fix
Upgrade Applications Manager to version 14430 or above.
Description- Security Update - CVE-2019-19475 Database
An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.
We recommend you to upgrade Applications Manager to version 14430 to fix this issue.
Source and Acknowledgements
Find out more about CVE-2019-19475 from CVE Directory and NIST NVD.
Reported by:
Sittikorn Sangrattanapitak - Cybersecurity Researcher.
Nuttakorn Tungpoonsup - Secure D Center Research Team, Secure D Center Co.,Ltd.
Ammarit Thongthua - Secure D Center Research Team, Secure D Center Co.,Ltd.
Need Help?
For clarification or corrections please contact our support team or email us at [email protected]
Related news
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.