Token Leakage Vulnerability in PAM360 Release 5301

Severity : Medium

CVEID : CVE-2022-26145

Version Details : Script downloaded before 25-11-2021 is vulnerable.

Fixed On : 25-11-2021

Details :
There was a token leakage issue in the script provided for Ansible plugin integration in PAM360, where the token got printed in the URL variable and was visible to all the users having physical access to the machine. We fixed this issue by removing the log prints.

Impact :
Using the leaked AUTHTOKEN, the shared resource details can be fetched.

Steps to Upgrade:

• Download the latest lookup plugin script zip file from the following link: https://www.manageengine.com/privileged-access-management/help/ansible-secrets-management.html
• Extract the plugin Python script(.py) from the zip.
• Now, go to the Ansible's installation directory and trace the following path: ansible/lib/ansible/plugins/lookup
• In the lookup folder, replace the script file.

Acknowledgements:

Reported by Slawomir in our bug bounty portal.

Please contact support for further details at: pam360-support@manageengine.com.