CVE-2024-38869: Enhanced API Scope Security for Technician Roles in Endpoint Central

This document highlights the security updates implemented in Endpoint Central to enhance the security of configuration deployments.

Release Notes

• CVE-ID: CVE-2024-38869 
• Severity: High
• Update Release Date: 30th June 2024
• Reported by: Jayateertha Guruprasad via ManageEngine Bug bounty program

What Was the Problem?

Certain API scope parameters for technician roles were misconfigured, allowing technicians to deploy configurations to remote offices outside their designated scope. This issue has now been resolved by implementing proper access control mechanisms.

Fix Build

• For Enterprise:
  • If you are using version 11.3.2400.22 or below, upgrade to 11.3.2400.25.
  • If you are using version 11.3.2416.03 or below, upgrade to 11.3.2416.04.

How to Fix It?

This issue has been identified and fixed in Endpoint Central builds released on 30th June 2024.

1. Log in to the product console.
2. Click on your current build number (top right corner).
3. Download and install the latest applicable update (PPM).

Note: This update is applicable to both On-Premises and Cloud versions.

Contact Support

If you have any questions or require further assistance, please don't hesitate to contact our support team.