CVE-2014-3997 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2014-3997?

CVE-2014-3997 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-3997?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Password Manager Pro, Zohocorp Manageengine It360.

Vulnerability Description

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Zohocorp	Manageengine Password Manager Pro	5.0
Zohocorp	Manageengine It360	<= 10.3.3

Related Weaknesses (CWE)

CWE-89

References

http://seclists.org/fulldisclosure/2014/Aug/55ExploitMailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2014/Aug/85ExploitMailing ListThird Party Advisory
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360Exploit
https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_Exploit
http://seclists.org/fulldisclosure/2014/Aug/55ExploitMailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2014/Aug/85ExploitMailing ListThird Party Advisory
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360Exploit
https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_Exploit

FAQ

What is CVE-2014-3997?

CVE-2014-3997 is a vulnerability with a CVSS score of 7.5 (HIGH). SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and...

How severe is CVE-2014-3997?

CVE-2014-3997 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3997?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Password Manager Pro, Zohocorp Manageengine It360.