[Security advisory for CVE-2022-35403] Unauthenticated local file disclosure vulnerability in ServiceDesk Plus

[Security advisory for CVE-2022-35403] Unauthenticated local file disclosure vulnerability in ServiceDesk Plus

Dear customers,

 

This is a security advisory for CVE-2022-35403 regarding the unauthenticated local file disclosure vulnerability in inline image handling in ServiceDesk Plus, which has been identified and rectified. This affects on-premises users of ServiceDesk Plus (all editions) running version 13007 and below.

This issue was reported by our internal security team on our bug bounty portal.

 

Severity: High

 

Impact
This vulnerability allows adversaries to download local files from the server on which ServiceDesk Plus is installed by sending an email to the email address configured in the application with a crafted image URL pointing to the specific file. If the file is present in that location, it gets added as an attachment in the ticket conversation when a technician responds to or when a notification is triggered for the ticket.

 

What led to the vulnerability?
The image's URL was not being processed properly when a technician responded to it or when a notification was triggered for the ticket.


Who is affected?

This vulnerability affects on-premises ServiceDesk Plus customers of all editions using versions 13007 and below.

 

How have we fixed it?

We have added additional checks to process the inline image to avoid the local file disclosure vulnerability.

 

How to find out if you are affected

Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version of ServiceDesk Plus (all editions) is 13007 or below, your installation is vulnerable.

 

Please follow this forum post for any further updates regarding this vulnerability.

 

What you can do

ServiceDesk Plus customers who fit the above criteria can upgrade to the latest version (13008) using the appropriate migration path.

Alternatively, based on their current version, customers can also upgrade to the appropriate versions mentioned below:

 

Current Version

Version or service pack with the fix

11200 to 11313

11314

11200 to12007

12008

 

Please read the upgrade instructions carefully before beginning the upgrade. For help, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.

 

Important note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all your settings intact. If you are using an Microsoft SQL Server as a backend database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

 

We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com.

 

Best,

Siddharth

ManageEngine ServiceDesk Plus


                New to ADSelfService Plus?