Unauthenticated File/Directory Creation Vulnerability - CVE-2022-35404

Unauthenticated File/Directory Creation Vulnerability in ManageEngine Password Manager Pro, PAM360 and Access Manager Plus

Severity : Medium

CVE ID : CVE-2022-35404

Details :
An unauthenticated file/directory creation vulnerability (CVE-2022-35404) was reported in Password Manager Pro, PAM360 and Access Manager Plus. This vulnerability allows an adversary to create arbitrary directories and multiple small-sized files in the installation server.

Product Name Affected Version(s) Fixed Version(s) Fixed On
Password Manager Pro 12100 and below 12101 24-06-2022
PAM360 5500 and below 5510 23-06-2022
Access Manager Plus 4302 and below 4303 24-06-2022

We fixed this issue by adding appropriate authentication checks in our server side source code, where we create and assign a unique token for every auto logon session, and validate the tokens before initiating a session.

This vulnerability allows adversaries to multiple create arbitrary directories and files in the installation servers, which can ultimately impact the storage capacity of the servers.

Steps to Upgrade:

  1. Download the latest upgrade pack from the following links for the respective products:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.


Reported by Katie (Tenable).

Please contact the product support for further details at the below mentioned email addresses:

PAM360: pam360-support@manageengine.com

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com

Technical Support Request Demo