CVE-2020-8422 - OpenCVE

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password).

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Zohocorp	Manageengine Remote Access Plus

Configuration 1 [-]

cpe:2.3:a:zohocorp:manageengine_remote_access_plus:*:*:*:*:*:*:*:*

References

Link	Resource
https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422	Third Party Advisory
https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-01-31T15:25:11

Updated: 2020-01-31T15:27:25

Reserved: 2020-01-28T00:00:00

Link: CVE-2020-8422

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-01-31T16:15:10.690

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-8422

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password)."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-31T15:27:25", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422"}, {"tags": ["x_refsource_MISC"], "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8422", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password)."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422", "refsource": "MISC", "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422"}, {"name": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/", "refsource": "MISC", "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8422", "datePublished": "2020-01-31T15:25:11", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2020-01-31T15:27:25", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_remote_access_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "96B06C9B-CE1F-44CC-9AEE-71CF30AF8AEA", "versionEndExcluding": "10.0.450", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password)."}, {"lang": "es", "value": "Se detect\u00f3 un problema de autorizaci\u00f3n en la funcionalidad Credential Manager en Zoho ManageEngine Remote Access Plus versiones anteriores a 10.0.450. Un usuario con el rol Invitado puede extraer la colecci\u00f3n de todas las credenciales definidas de m\u00e1quinas remotas: el nombre de credencial, el tipo de credencial, el nombre de usuario, el nombre de dominio y grupo de trabajo y la descripci\u00f3n (pero no la contrase\u00f1a)."}], "id": "CVE-2020-8422", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-31T16:15:10.690", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}