CVE ID : CVE-2022-40772
| Product Name | Severity | Affected Version(s) | Fixed Version(s) | Fixed On |
|---|---|---|---|---|
| ManageEngine ServiceDesk Plus MSP | High | 10608 and below | 10609 | Sept 26, 2022 |
| ManageEngine SupportCenter Plus | High | 11024 and below | 11025 | Oct 13, 2022 |
Details
The vulnerability allows an adversary to access restricted data in the Postgres database setup, by using a specific PostgreSQL function in the query which enables bypassing the validation mechanism.
Impact
Users who have access to query reports can access restricted data.
Solution
Customers must upgrade to version 10609 or above of ManageEngine ServiceDesk Plus MSP and 11025 of ManageEngine SupportCenter Plus.
Steps to upgrade:
ServiceDesk Plus MSP customers can upgrade to version 10609 or above using the appropriate migration path listed here.
SupportCenter Plus customers can upgrade to version 11025 using the appropriate migration path listed here.
Acknowledgements:
Reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.