Lucene search

[email protected]NVD:CVE-2023-2291

HistoryApr 26, 2023 - 9:15 p.m.

CVE-2023-2291

2023-04-2621:15:09

[email protected]

web.nvd.nist.gov

cve-2023-2291

postgresql

manageengine

access manager plus

password manager pro

pam360

static credentials

configuration data

low-privileged user

administrative user

security vulnerability

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

16.0%

JSON

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.

Affected configurations

NVD

Node

zohocorpmanageengine_access_manager_plusMatch4.3build4309

zohocorpmanageengine_pam360

zohocorpmanageengine_password_manager_pro

References

tenable.com/security/research/tra-2023-16

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

16.0%

JSON

Related for NVD:CVE-2023-2291

cvelist1 prion1 cve1 mageia1 openvas1