Severity: Medium
CVE ID: CVE-2024-27311
Affected Software Version(s): DDI Central build 4001
Fixed Version: Build 4002
Fixed on: May 6, 2024
Details:
ManageEngine DDI Central's IPAM API had a vulnerability allowing arbitrary file creation due to an unfiltered parameter and unchecked decompression of zip files. Now, input validation and sanitization prevent directory traversal and unauthorized file placement. Uploads are restricted to certain file types and sizes.
Impact:
The flaw allowed file placement within the application folder but couldn't replace existing files or execute them automatically. Despite directory permission restrictions, this posed a significant risk to system integrity and security.
Steps to upgrade:
Update your DDI Central Node Agent instance to the latest build 4002 using the service pack.
Acknowledgements:
These issues were reported by Zewei Zhang from NSFOCUS TIANJI Lab.