Vulnerability Description
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Eventlog Analyzer | >= 10.0, < 12.1.1 |
References
- http://packetstormsecurity.com/files/156485/ManageEngine-EventLog-Analyzer-10.0-ExploitThird Party AdvisoryVDB Entry
- https://gist.github.com/scottgoodwin90/19ccecdc9f5733c0a9381765cfc7fe39Third Party Advisory
- https://www.manageengine.com/products/eventlog/features-new.html#releaseVendor Advisory
- http://packetstormsecurity.com/files/156485/ManageEngine-EventLog-Analyzer-10.0-ExploitThird Party AdvisoryVDB Entry
- https://gist.github.com/scottgoodwin90/19ccecdc9f5733c0a9381765cfc7fe39Third Party Advisory
- https://www.manageengine.com/products/eventlog/features-new.html#releaseVendor Advisory
FAQ
What is CVE-2019-19774?
CVE-2019-19774 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypas...
How severe is CVE-2019-19774?
CVE-2019-19774 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-19774?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Eventlog Analyzer.