CVE-2023-6105

ManageEngine Information Disclosure in Multiple Products

CVSS 5.5 MEDIUMEPSS 0.7%CWE-200

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.5EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

15 Nov 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

ManageEngine · Access Manager Plus ManageEngine · Asset Explorer ManageEngine · Service Desk Plus

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.manageengine.com/security/advisory/CVE/CVE-2023-6105.html https://www.tenable.com/security/research/tra-2023-35