The security advisory addresses an authentication bypass vulnerability identified in the product, ManageEngine Password Manager Pro versions up to 12001 [CVE-2021-44525].Given the severity of this vulnerability, we strongly urge all customers using Password Manager Pro (all editions) with versions up to 12001 to upgrade to the latest version immediately.
CVE-2021-44525 affects customers of the all editions of ManageEngine Password Manager Pro. This vulnerability can allow adversaries to gain unauthorized access to the application and invoke actions, through a few specific application URLs.
An adversary can exploit this vulnerability by manipulating the request URLs that allow them to perform administrative actions in the product. Major actions include:
Deleting an organisation
Updating privacy settings
Configuring authentication options
Managing query report categories
Configuring emergency measures
This vulnerability does not expose any of the privileged account information, credentials and passwords stored in the password vault of the product.
What led to the vulnerability?
One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated servlet to be accessed without proper authentication. APIs and other URL calls are not affected.
Who is affected?
This vulnerability affects ManageEngine Password Manager Pro customers using versions up to 12001 in all editions.
How have we fixed it?
We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.
How to find if your current version is vulnerable?
Click the My Profile icon in the top-right corner of the Password Manager Pro web client, and select About from the drop-down to see your current version. If your current version (all editions) is 12001 and below, your installation is vulnerable.
Please follow our forum post for any further updates regarding this vulnerability.
What customers should do
The Password Manager Pro build 12002, released on 04/12/2021, holds the recommended mitigation targeting the vulnerability. We have fixed the authentication bypass vulnerability by adding proper authentication checks at the vulnerable end-point URLs. We recommend users in build 12001 or earlier upgrade to Password Manager Pro build 12002.
The upgrade pack can be downloaded here: https://www.manageengine.com/products/passwordmanagerpro/minor-upgrades.html.
Important note: We strongly recommend you take a backup of your entire Password Manager Pro installation folder before the upgrade, and keep the copy in a separate location. This helps you prevent any accidental loss of data, and will keep all your settings intact. If you're using an MS SQL server as the back-end database, back up the Password Manager Pro database as well before upgrading.Once the upgrade is successfully completed, remember to delete the backup.
We express our sincerest apologies for any inconvenience this might have caused. If you have any questions or concerns, please reach out to us at firstname.lastname@example.org.