# Security Updates - CVE-2020-11946 | ManageEngine OpManager

## CVE-2020-11946

### Unauthenticated access to API key disclosure from a servlet call.

| Vulnerability Details |  |
|---|---|
| Impact | **CVSS V3 rating: 7.5 (HIGH)** |
| Reported | 12th April 2020 |
| Reported by | Kuncho, an independent Security researcher |
| Fixed | 20th April 2020 |
| Affected Builds | → Builds 12.3.xxx - 12.4.195<br>→ Builds 12.5.000 - 12.5.119 |
| Fixed in | Builds 12.4.196/12.5.120 |
| Overview | Unauthenticated access to API key disclosure from a servlet call. |
| **Recommended Fix** | **→ For builds 12.3.xxx - 12.4.195, please upgrade to [OpManager Version 12.4.196](https://www.manageengine.com/network-monitoring/service-packs.html?124196).**<br><br>**→ For Builds 12.5.000 - 12.5.119, please upgrade to [OpManager Version 12.5.120](https://uploads.zohocorp.com/Internal_Useruploads/dnd/Firewall_Analyzer/zhDC3F5OzfxfVGa/ManageEngine_OpManager_12_0_SP-5_1_2_0.ppm?CVE-11946).** |

### Description

Unauthenticated access to API key disclosure from a servlet call.

We recommend that you [upgrade to OpManager Version 12.4.196](https://www.manageengine.com/network-monitoring/service-packs.html?124196) / [OpManager Version 12.5.120](https://uploads.zohocorp.com/Internal_Useruploads/dnd/Firewall_Analyzer/zhDC3F5OzfxfVGa/ManageEngine_OpManager_12_0_SP-5_1_2_0.ppm?CVE-11946>) (for builds 125000 - 125119) or contact our support team at [itom-upgrades@manageengine.com](mailto:itom-upgrades@manageengine.com) to fix this issue.

### Source and Acknowledgements

Find out more about CVE-2020-11946 from the [CVE dictionary](https://nvd.nist.gov/vuln/detail/CVE-2020-11946).

### Need Help?

For clarification or corrections please contact our [support team](https://www.manageengine.com/network-monitoring/support.html) or email us at [itom-upgrades@manageengine.com](mailto:itom-upgrades@manageengine.com).