Security advisory

ServiceDesk Plus - MSP Support Portal Home » Helpdesk Software Features

Unauthenticated arbitrary web-root file disclosure vulnerability

Severity : Medium

CVE ID : CVE-2022-32551

Product Name Affected Version(s) Fixed Version(s) Fixed On
ManageEngine ServiceDesk Plus MSP 10603 and below 10604 June 7, 2022


This vulnerability allows arbitrary web-root file access to unauthenticated users due to a flaw in handling request paths. Browsing to /sample/WEB-INF/web.xml allows for pre-authenticated arbitrary web-root file access to the contents of /WEBINF/web.xml.

(Same is applicable for sample/META-INF/web.xml)

Impact: Unauthenticated web-root file access

Solution: Customers must upgrade to the latest version of ManageEngine ServiceDesk Plus MSP.

Steps to upgrade: Customers can upgrade to the latest version (10605) using the appropriate migration path listed here.

Acknowledgements: Reported by Poh Jia Hao from STAR Labs in our bug bounty portal.