| Vulnerability Details | |
|---|---|
| Impact | CVSS V3 rating: 8.8 HIGH |
| Fixed | 24 November 2019 |
| Affected Builds | Till Build 14420 |
| Fixed in | Build 14430 |
| Overview | Privilege escalation exploit on PostgreSQL insecure file permission. |
| Recommended Fix | Upgrade Applications Manager to version 14430 or above. |
An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in "Authenticated Users" group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.
We recommend you to upgrade Applications Manager to version 14430 to fix this issue.
Source and Acknowledgements
Find out more about CVE-2019-19475 from CVE Directory and NIST NVD.
Reported by:
Sittikorn Sangrattanapitak - Cybersecurity Researcher.
Nuttakorn Tungpoonsup - Secure D Center Research Team, Secure D Center Co.,Ltd.
Ammarit Thongthua - Secure D Center Research Team, Secure D Center Co.,Ltd.
For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com