This is a security advisory for all ManageEngine Applications Manager and ManageEngine Applications Manager Plugin users below version 14.3. We recommend you to upgrade to the latest version of Applications Manager to avoid the security vulnerability described below.
Severity:
High
Vulnerabilities:
For Applications Manager users:
Vulnerability type :
SQL Injection/Remote Code Execution
Vulnerability description:
Due to an SQL Injection vulnerability in NewThresholdConfiguration.jsp, a low-authority Applications Manager user could gain admin user authority and execute commands via the "Execute Program Action(s)" feature. This issue has been assigned in
CVE-2019-15105
.
For Applications Manager Plugin users:
Vulnerability types :
SQL Injection/Remote Code Execution
Unauthenticated Remote Command Execution
Vulnerability description:
Due to an SQL Injection vulnerability in NewThresholdConfiguration.jsp, a low-authority Applications Manager Plugin user could gain admin user authority and execute commands via the "Execute Program Action(s)" feature.This issue has been assigned
CVE-2019-15104.
An unauthenticated Applications Manager Plugin user could gain access of the system by bypassing the user password requirements and executing commands on the server. This issue has been assigned
CVE-2019-15106
.
Affected versions:
Applications Manager/Applications Manager Plugin
OpManager users having Applications Manager Plugin
Please note that the versions other than the ones mentioned above remain unaffected by the vulnerability.
Solutions:
For Applications Manager/Applications Manager Plugin users:
For OpManager users having Applications Manager Plugin:
We offer our sincere apologies for any inconvenience caused.