Hi there,
This is to let you know that a critical security vulnerability issue was detected in Password Manager Pro, and it has now been fixed.
What is the issue?
CVE-2022-29081 affects customers of ManageEngine Password Manager Pro using version 10103 to 12006. An adversary can exploit this vulnerability to bypass security checks in specific RESTAPI URLs and gain unauthorized access to the application.
Severity: High
Impact:
This vulnerability allows an adversary to invoke the following operations in Password Manager Pro:
- Restart the service
- Access dashboard details
- Apply a product license and get existing license details
- Create new server certificates
- Create/download server CSR, and apply server certificates
- Fetch event logs, and set up synchronization schedules
In addition to the aforementioned actions, the vulnerability also allows adversaries to terminate active RDP sessions, launched via ManageEngine ServiceDesk Plus, on Password Manager Pro.
Please note: This vulnerability does not expose any of the privileged account information, credentials and passwords stored in the password vault of the product.
What should the customers do
The latest version of Password Manager Pro holds the recommended mitigation targeting the vulnerability. We recommend users to upgrade to the latest build of Password Manager Pro, which can be downloaded here
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above link.
Important note: We strongly recommend you take a backup of your entire Password Manager Pro installation folder before the upgrade, and keep the copy in a separate location. This helps you prevent any accidental loss of data, and will keep all your settings intact. If you're using an MS SQL server as the back-end database, backup the Password Manager Pro database as well before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We express our sincerest apologies for any inconvenience this might have caused.
Regards,
Praveen
ManageEngine Password Manager Pro