Security Advisory for ManageEngine Applications Manager 14.6

Security Advisory for ManageEngine Applications Manager 14.6

This is a security advisory for all ManageEngine Applications Manager users below build number 14685 ('Support' tab -> Install Information -> Build Number). We recommend you to upgrade to the latest version of Applications Manager to avoid the security vulnerabilities described below.

Severity: Critical

Affected versions: Below 14684

Please note that the versions other than the ones mentioned above remain unaffected by the vulnerability.

Issue reported: Unauthorized access by bypassing the authentication mechanism.
Vulnerabilities:

Vulnerability type: SQL Injection

Vulnerability description: Applications Manager could be accessed by unauthorized users due to the following SQL injection vulnerabilities:
 
1. Unauthenticated Remote Code Execution via SQL injection in REST API module.

2. Unauthenticated SQL Injection in Alarm Escalation module.
 
These issues have been addressed in CVE-2020-15394 and CVE-2020-15533


Solution:

‚Äč

Download the service pack and upgrade to the latest version (14685). Please read the instructions before you upgrade.

For further assistance, write to us at appmanager-support@manageengine.com or call us at +1 408 916 9494.

We offer our sincere apologies for any inconvenience caused.