CVE ID: CVE-2023-22964
Severity: Critical
| Product Name | Affected version(s) | Fixed version(s) | Fixed On |
|---|---|---|---|
| ManageEngine ServiceDesk Plus MSP | 10600 to 10610 | 10611 | Jan 5, 2023 |
| 13000 to 13003 | 13004 | Jan 5, 2023 |
Details
A flaw in the LDAP authentication process for user details imported from LDAP server, when modified manually or through an API, allows an adversary to log in to the application using any random input as the password.
This vulnerability is applicable only when LDAP authentication is enabled.
Impact:
An adversary can bypass the authentication and log in to the ServiceDesk Plus MSP application.
Workaround
Customers can disable LDAP authentication in ServiceDesk Plus MSP.
Solution
Customers must upgrade to the latest version of ManageEngine ServiceDesk Plus MSP.
Steps to upgrade:
Customers using versions 13000 to 13003 can upgrade to the latest version (13004) and customers using versions 10600 to 10610 can upgrade to 10611 using the appropriate migration path listed here.