CVE-2024-0252

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus::::::::
	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.4:6400::::::
	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.4:6401::::::

History

07 Jun 2024, 09:15

Type	Values Removed	Values Added
CWE		CWE-94

19 Jan 2024, 18:54

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-11 08:15

Updated : 2024-06-07 09:15

NVD link : CVE-2024-0252

Mitre link : CVE-2024-0252

CVE.ORG link : CVE-2024-0252

JSON object : View

Products Affected

zohocorp

manageengine_adselfservice_plus

CWE

NVD-CWE-noinfo CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2024-0252", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-01-11T08:15:35.933", "references": [{"url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html", "tags": ["Vendor Advisory"], "source": "0fc0942c-577d-436f-ae8e-945763c79b02"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "0fc0942c-577d-436f-ae8e-945763c79b02", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "ManageEngine ADSelfService Plus versions\u00a06401\u00a0and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability."}, {"lang": "es", "value": "Las versiones 6401 e inferiores de ManageEngine ADSelfService Plus son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo debido al manejo inadecuado en el componente del balanceador de carga."}], "lastModified": "2024-06-07T09:15:09.347", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B9A77AF-9D42-42A2-84F3-4307E46D917F", "versionEndExcluding": "6.4"}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.4:6400:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FCE8818-79BB-41F7-9D2E-43FEE698B325"}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.4:6401:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC18D7BD-91CC-4019-B429-BBA4353E8984"}], "operator": "OR"}]}], "sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02"}