Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-19475: Security Updates - CVE Details - CVE-2019-19475

An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.

CVE
#sql#vulnerability#auth#postgres

Privilege escalation exploit on PostgreSQL insecure file permission

Vulnerability Details

Impact

CVSS V3 rating: 8.8 HIGH

Fixed

24 November 2019

Affected Builds

Till Build 14420

Fixed in

Build 14430

Overview

Privilege escalation exploit on PostgreSQL insecure file permission.

Recommended Fix

Upgrade Applications Manager to version 14430 or above.

Description- Security Update - CVE-2019-19475 Database

An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.

We recommend you to upgrade Applications Manager to version 14430 to fix this issue.

Source and Acknowledgements

Find out more about CVE-2019-19475 from CVE Directory and NIST NVD.

Reported by:
Sittikorn Sangrattanapitak - Cybersecurity Researcher.
Nuttakorn Tungpoonsup - Secure D Center Research Team, Secure D Center Co.,Ltd.
Ammarit Thongthua - Secure D Center Research Team, Secure D Center Co.,Ltd.

Need Help?

For clarification or corrections please contact our support team or email us at [email protected]

Related news

CVE-2019-19650: Release Notes - New features

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907