CVE-2023-2291
Last modified
CVE-2023-2291 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.. EPSS estimates a 0.81% chance of exploitation in the next 30 days.
Description
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Zohocorp | Manageengine Access Manager Plus | 4.3 | Build4309 |
| Zohocorp | Manageengine Pam360 | All versions | — |
| Zohocorp | Manageengine Password Manager Pro | All versions | — |
References
- https://tenable.com/security/research/tra-2023-16Exploit, Third Party Advisory
- https://tenable.com/security/research/tra-2023-16Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-2291?
How severe is CVE-2023-2291?
How do I fix CVE-2023-2291?
Are you affected by CVE-2023-2291?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST