Severity : Medium
CVE ID : CVE-2022-32551
|ManageEngine ServiceDesk Plus MSP
|10603 and below
|June 7, 2022
This vulnerability allows arbitrary web-root file access to unauthenticated users due to a flaw in handling request paths. Browsing to /sample/WEB-INF/web.xml allows for pre-authenticated arbitrary web-root file access to the contents of /WEBINF/web.xml.
(Same is applicable for sample/META-INF/web.xml)
Impact: Unauthenticated web-root file access
Solution: Customers must upgrade to the latest version of ManageEngine ServiceDesk Plus MSP.
Steps to upgrade: Customers can upgrade to the latest version (10605) using the appropriate migration path listed here.
Acknowledgements: Reported by Poh Jia Hao from STAR Labs in our bug bounty portal.