Home » Security Advisory

Severity : Low

CVE ID : CVE-2023-6105

Details :
This advisory addresses an encryption key disclosure due to the improper folder access vulnerability, which has been reported and patched in the following ManageEngine products:

Product Name(s) Impacted Version(s) Fixed Version(s) Released On
Access Manager Plus 4311 and below 4312 01/12/2023
AD360 4318 and below 4319 24/11/2023
ADAudit Plus 7250 and below 7251 17/10/2023
ADManager Plus 7203 and below 7210 29/09/2023
ADSelfService Plus 6303 and below 6304 24/08/2023
Analytics Plus On-Premise 5260 and below 5300 16/10/2023
Application Control Plus 11.2.2325.10 and below 11.2.2328.1 15/06/2023
Asset Explorer 7003 and below 7004 28/06/2023
Browser Security Plus 11.2.2307.1 and below 11.2.2328.1 31/07/2023
Cloud Security Plus 4162 and below 4170 10/11/2023
Creator On-Premise 1.1.2 and below 2.0.0 07/11/2023
Data Security Plus 6125 and below 6126 10/11/2023
Device Control Plus 11.2.2315.13 and below 11.2.2322.1 15/06/2023
Endpoint Central 11.2.2320.1 and below 11.2.2322.1 15/06/2023
Endpoint Central MSP 11.2.2320.1 and below 11.2.2322.1 15/06/2023
Endpoint DLP 11.1.2300.3 and below 11.2.2322.1 15/06/2023
Eventlog Analyzer Windows - 12331 and below
Linux - 12438 and below 		Windows - 12336
Linux - 12460		 Windows - 29/11/2023
Linux - 06/05/2024
Exchange Reporter Plus 5712 and below 5713 15/09/2023
Firewall Analyzer Windows - 125621 and below
Linux - 127197 and below		 Windows - 125632
Linux - 127243		 Windows - 26/04/2022
Linux - 27/09/2023
Key Manager Plus 6620 and below 6650 12/01/2024
Log360 5340 and below 5345 29/11/2023
Log360 UEBA 4048 and below 4050 18/10/2023
M365 Manager Plus 4538 and below 4539 01/03/2024
M365 Security Plus 4538 and below 4539 01/03/2024
Mobile Device Management 10.1.2203.1 and below 10.1.2204.2 15/04/2022
Mobile Device Management MSP 10.1.2203.1 and below 10.1.2204.2 15/04/2022
Netflow Analyser Windows - 125621 and below
Linux - 127197 and below		 Windows - 125632
Linux - 127243		 Windows - 26/04/2022
Linux - 27/09/2023
Network Configurations Manager Windows - 125621 and below
Linux - 127197 and below		 Windows - 125632
Linux - 127243		 Windows - 26/04/2022
Linux - 27/09/2023
OpManager Windows - 125621 and below
Linux - 127197 and below		 Windows - 125632
Linux - 127243		 Windows - 26/04/2022
Linux - 27/09/2023
OpUtils Windows - 125621 and below
Linux - 127197 and below		 Windows - 125632
Linux - 127243		 Windows - 26/04/2022
Linux - 27/09/2023
OS Deployer 1.2.2327.1 and below 1.2.2331.1 03/08/2023
PAM360 6510 and below 6520 01/12/2023
Password Manager Pro 12401 and below 12410 13/12/2023
Patch Connect Plus 90123 and below 90124 22/08/2023
Patch Manager Plus 11.2.2325.30 and below 11.2.2328.1 15/06/2023
Recovery Manager Plus 6072 and below 6074 31/10/2023
Remote Access Plus 11.2.2325.22 and below 11.2.2328.1 21/06/2023
Remote Monitoring and Management 10.2.9 and below 10.2.11 30/08/2023
Secure Gateway Server 90090 and below 90091 21/09/2021
ServiceDesk Plus 14303 and below 14304 28/06/2023
ServiceDesk Plus MSP 14304 and below 14305 10/08/2023
SharePoint Manager Plus 4404 and below 4405 26/10/2023
Support Center Plus 14304 and below 14305 05/09/2023
Vulnerability Manager Plus 11.2.2325.13 and below 11.2.2328.01 15/06/2023

Impact:

This vulnerability permits all logged-in users on the server machine to access the application folder and its files.

Note:

  • File access to the server machine is required in order to exploit this vulnerability.

  • This vulnerability does not impact ManageEngine On-Demand/Cloud products.

Acknowledgements:

This vulnerability was reported by Tenable through our Bug Bounty program.

Please contact our product support or security@manageengine.com if you need any further assistance.