CVE-2014-7863 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2014-7863?

CVE-2014-7863 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-7863?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Applications Manager, Zohocorp Manageengine It360, Zohocorp Manageengine Opmanager.

Vulnerability Description

The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Zohocorp	Manageengine Applications Manager	<= 11.9
Zohocorp	Manageengine It360	<= 10.5
Zohocorp	Manageengine Opmanager	>= 8, <= 11.5

Related Weaknesses (CWE)

CWE-200

References

http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-DExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2015/Jan/114Exploit
http://www.securityfocus.com/archive/1/archive/1/534575/100/0/threadedBroken LinkThird Party AdvisoryVDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/100554Third Party AdvisoryVDB Entry
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.Broken Link
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilitiesExploitVendor Advisory
http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-DExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2015/Jan/114Exploit
http://www.securityfocus.com/archive/1/archive/1/534575/100/0/threadedBroken LinkThird Party AdvisoryVDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/100554Third Party AdvisoryVDB Entry
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.Broken Link
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilitiesExploitVendor Advisory

FAQ

What is CVE-2014-7863?

CVE-2014-7863 is a vulnerability with a CVSS score of 7.5 (HIGH). The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properl...

How severe is CVE-2014-7863?

CVE-2014-7863 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-7863?

Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Applications Manager, Zohocorp Manageengine It360, Zohocorp Manageengine Opmanager.