Hi there,

This security advisory addresses two authentication bypass vulnerabilities that affect ServiceDesk Plus versions up to 12002 [CVE-2021-44526] and ServiceDesk Plus customers who use the Desktop Central agent for asset discovery [CVE-2021-44515].

Important note: If you are a customer of the Professional or Enterprise edition of ServiceDesk Plus who uses the Desktop Central agent for asset discovery, follow the steps outlined in the advisories for both CVE-2021-44526 and CVE-2021-44515.

If you are a customer of ServiceDesk Plus who does not use the Desktop Central agent, please only follow the steps outlined in the advisory for CVE-2021-44526, explained in this post.

CVE-2021-44515 affects customers of the Professional and Enterprise editions of ServiceDesk Plus who use the Desktop Central agent for asset discovery and can lead to a remote code execution attack. We strongly urge customers who use the Desktop Central agent to refer to this security advisory for more information and the steps to upgrade Desktop Central to the latest version.

CVE-2021-44526 affects customers using all editions of the on-premises version of ServiceDesk Plus versions 12002 and below, irrespective of whether they use the Desktop Central agent, and we strongly urge all customers to upgrade to the latest version of ServiceDesk Plus immediately. This vulnerability does not affect ServiceDesk Plus Cloud versions.

The rest of the advisory will be focused on CVE-2021-44526, an authentication bypass vulnerability in ServiceDesk Plus versions up to 12002.

Severity: High

Impact:

This vulnerability can allow an adversary to bypass authentication and access Templates’ field and form rules, Technician Auto Assign settings, the Asset Field's Allowed Values, Translation and Change SLA configurations, the Assets associated to a user, and role details from Change Templates, as well as reorder the Service Catalog.

What led to the vulnerability?

One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated servlet to be accessed without proper authentication. APIs and other URL calls are not affected.

Who is affected?

This vulnerability affects ServiceDesk Plus (on-premises) customers of all editions using versions up to 12002.

How have we fixed it?

We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.

How to find out if you are affected

Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 12002 and below, your installation is vulnerable.

Please follow this forum post for any further updates regarding this vulnerability.