Security Advisory for ManageEngine Applications Manager 14.6
This is a security advisory for all ManageEngine Applications Manager users below build number 14685 ('Support' tab -> Install Information -> Build Number). We recommend you to upgrade to the latest version of Applications Manager to avoid the security vulnerabilities described below.
Severity: Critical
Affected versions: Below 14684
Please note that the versions other than the ones mentioned above remain unaffected by the vulnerability.
Issue reported: Unauthorized access by bypassing the authentication mechanism.
Vulnerabilities:
Vulnerability type: SQL Injection
Vulnerability description: Applications Manager could be accessed by unauthorized users due to the following SQL injection vulnerabilities:
1. Unauthenticated Remote Code Execution via SQL injection in REST API module.
2. Unauthenticated SQL Injection in Alarm Escalation module.
These issues have been addressed in CVE-2020-15394 and CVE-2020-15533
Solution:
Download the service pack and upgrade to the latest version (14685). Please read the instructions before you upgrade.
For further assistance, write to us at appmanager-support@manageengine.com or call us at +1 408 916 9494.
We offer our sincere apologies for any inconvenience caused.