[Security advisory] Authentication bypass vulnerability in AssetExplorer versions 6800 and above

[Security advisory] Authentication bypass vulnerability in AssetExplorer versions 6800 and above

Hi there,

 

This is a security advisory regarding a possible authentication bypass vulnerability in a few application URLs in AssetExplorer, which has been identified and rectified.

Users of AssetExplorer (all editions) with version 6800 and above might be affected by this vulnerability and are advised to update to the latest version (6905) immediately.

 

Severity: High

 

Impact:

This vulnerability allows an attacker to gain unauthorized access to the application's data through a few of its application URLs. To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.

 

What led to the vulnerability?

The improper security configuration process used in AssetExplorer led to the vulnerability.

 

Who is affected?

This vulnerability affects AssetExplorer customers of all editions using versions 6800 and above.

 

How have we fixed it?

The vulnerability has been addressed by fixing the security configuration process in the latest version of AssetExplorer.

 

How to find out if you are affected

Click the Help link in the top-right corner of the AssetExplorer web client, and select About from the drop-down to see your current version. If your current version is 6800 or above, you might be affected.

 

What customers should do

Customers who fit the above criteria can upgrade to the latest version (6905) using the appropriate migration path.

 

Alternatively, based on their current version, customers can also upgrade to the appropriate versions mentioned below:

 

Current version

Version or service pack with the fix

From 6727 till 6734

6735

From 6800 till 6904

6905

 

‚ÄčPlease read the upgrade instructions carefully before beginning the upgrade. For assistance, write to assetexplorer-support@manageengine.com or call us toll-free at +1.888.720.9500.

 

Important note: As always, make a copy of the entire AssetExplorer installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the AssetExplorer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

 

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at assetexplorer-support@manageengine.com.

 

Best,

Umashankar

ManageEngine AssetExplorer