This is a security advisory regarding a possible authentication bypass vulnerability in a few REST API URLs in ServiceDesk Plus, which has been identified and rectified. On-premises users of ServiceDesk Plus (all editions) with version 11005 and above might be affected by this vulnerability and are advised to update to the latest version (11302) immediately.
This vulnerability allows an attacker to gain unauthorized access to the application's data through its API support. This would allow the attacker to gain unauthorized access to user data or aid subsequent attacks.
To do so, an attacker has to manipulate any vulnerable API URL path from the requests or assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker.
What led to the vulnerability?
The security framework layer used in ServiceDesk Plus had an improper URL validation process that led to the vulnerability.
Who is affected?
This vulnerability affects ServiceDesk Plus (on-premises) customers of all editions using versions 11005 and above.
How have we fixed it?
The vulnerability has been addressed by fixing the improper URL validation process in the security framework layer in the latest version of ServiceDesk Plus.
How to find out if you are affected
Click the Help link in the top-right corner of the ServiceDesk Plus web client. Select the About option from the drop-down to see your current version. If your current version (all editions) is 11005 or above, you might be affected.
What customers should do
Customers who fit the above criteria can upgrade to the latest version (11302) using the appropriate migration path here.
Alternatively, based on their current version, customers can also upgrade to the appropriate versions mentioned below:
Version or service pack with the fix
11200 to 11301
11200 to 11207
11100 to 11144
11005 to 11011
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to email@example.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at firstname.lastname@example.org.
ManageEngine ServiceDesk Plus