List of security vulnerabilities fixed in OpUtils

This page contains a list of all security vulnerabilities fixed in OpUtils along with its CVE id and fixed build number. Go to ManageEngine's Security Response Center to report vulnerabilities on ManageEngine products.

Download

CVE ID Synopsis Severity Fixed in version Link to latest build
ZVE-2024-1132 Previously, CSRF vulnerability (ZVE-2024-1132) was detected where the external users were able to utilize the network tools without authentication to perform ping or SNMP ping on network devices. This has now been fixed. (Reported by Jayateertha Guruprasad). Medium 128103/128247 Download
CVE-2023-47211 Earlier, path traversal vulnerability was detected for MIB browser. This issue has now been fixed by implementing path sanitization. High 127193 / 127194 / 127248 / 127260
CVE-2022-37024 Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv6 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. Critical 125658 / 126105 / 126120/ 126003
CVE-2022-38772 Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv4 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. Critical 125658 / 126105 / 126120 / 126003
CVE-2022-36923 A vulnerability resulted in unauthenticated access of the user API key. This issue has been fixed now. (Reported by Anonymous working with Trend Micro Zero Day Initiative) Critical 125657 / 126002 / 126104 / 126118
CVE-2021-44514 Mishandled audit directories in very few OpUtils' modules. High 125474/125490
CVE-2021-3287 Unauthenticated Remote Code Execution (RCE) vulnerability due to general bypass for the deserialization class. Critical 125220/125314
CVE-2020-28653 Unauthenticated Remote Code Execution (RCE) vulnerability in the Smart Update Manager (SUM) servlet. High 125203 / 125218
CVE-2020-13818 Directory Traversal validation was being bypassed when using <cachestart>. High 125144
CVE-2020-12116 Path Traversal vulnerability High 124196/125125
CVE-2020-11946 Unauthenticated access to API key disclosure from a servlet call High 124188/125120
CVE-2020-11527 File read vulnerability in Arbitrary file High 124181
CVE-2020-10541 The obsolete code causing Remote Code Execution (RCE) vulnerability in Mail Server Settings v1 APIs have been removed. High 124172
CVE-2019-17421 Incorrect file permissions on the packaged Nipper executable file Medium 124079 and 124099
Internal An operator user could access some restricted folders by bypassing the session. High 123241
CVE-2018-19403 Unauthenticated Remote Code Execution (RCE) vulnerability High 123231
CVE-2018-17283 The 'oputilsServlet' which was previously unauthenticated has now been removed. High 123196
CVE-2018-12997, CVE-2018-12998 It allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. High 123169