Severity : High
CVE ID : CVE-2022-29081
|Product Name||Affected Version(s)||Fixed Version(s)||Fixed On|
|Access Manager Plus||4000 to 4301||4302||13-04-2022|
|Password Manager Pro||10103 to 12006||12007||14-04-2022|
|PAM360||4001 to 5400||5401||15-04-2022|
An authentication bypass vulnerability that allows an attacker to bypass security checks in specific RESTAPI URLs and gain unauthorized access to the application was reported.
The following RESTAPI URLs were affected by the vulnerability:
We fixed this issue by adding a security validation check on the API request URI in PAM360 and Password Manager Pro, and by removing unused API URLs in Access Manager Plus.
The vulnerability allowed an attacker to invoke the following operations in all three products:
In addition to the aforementioned, the vulnerability also allowed attackers to terminate active RDP sessions, launched via ManageEngine ServiceDesk Plus, on PAM360 and Password Manager Pro.
Reported by Evan Grant.
Please contact the product support for further details at the below mentioned email addresses:
Password Manager Pro: firstname.lastname@example.org
Access Manager Plus: email@example.com