ManageEngine Access Manager Plus Authentication Bypass (CVE-2021-44676)

critical Nessus Plugin ID 159572

Synopsis

A privileged session management software is affected by an authentication bypass vulnerability.

Description

The ManageEngine Access Manager Plus running on the remote host is affected by an authentication bypass vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to invoke an authenticated Java servlet.

Solution

Upgrade to Access Manager Plus build 4203 or later.

See Also

http://www.nessus.org/u?91048116

Plugin Details

Severity: Critical

ID: 159572

File Name: manageengine_access_manager_plus_cve-2021-44676.nbin

Version: 1.50

Type: remote

Family: CGI abuses

Published: 4/7/2022

Updated: 11/22/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-44676

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine_access_manager_plus

Required KB Items: installed_sw/ManageEngine Access Manager Plus

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 12/4/2021

Vulnerability Publication Date: 12/5/2021

Reference Information

CVE: CVE-2021-44676