Severity : Medium
CVE ID : CVE-2022-32551
| Product Name | Affected Version(s) | Fixed Version(s) | Fixed On |
|---|---|---|---|
| ManageEngine ServiceDesk Plus MSP | 10603 and below | 10604 | June 7, 2022 |
Details
This vulnerability allows arbitrary web-root file access to unauthenticated users due to a flaw in handling request paths. Browsing to /sample/WEB-INF/web.xml allows for pre-authenticated arbitrary web-root file access to the contents of /WEBINF/web.xml.
(Same is applicable for sample/META-INF/web.xml)
Impact: Unauthenticated web-root file access
Solution: Customers must upgrade to the latest version of ManageEngine ServiceDesk Plus MSP.
Steps to upgrade: Customers can upgrade to the latest version (10605) using the appropriate migration path listed here.
Acknowledgements: Reported by Poh Jia Hao from STAR Labs in our bug bounty portal.