CVE-2022-24446

EUVD-2022-29329
An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
Affected Products (NVD)
VendorProductVersion
zohocorpmanageengine_key_manager_plus
6.1.6
zohocorpmanageengine_key_manager_plus
6.1.6:build6100
zohocorpmanageengine_key_manager_plus
6.1.6:build6150
zohocorpmanageengine_key_manager_plus
6.1.6:build6151
zohocorpmanageengine_key_manager_plus
6.1.6:build6160
zohocorpmanageengine_key_manager_plus
6.1.6:build6161
𝑥
= Vulnerable software versions
References
https://cds.thalesgroup.com/en/tcs-cert/CVE-2022-24446
https://excellium-services.com/cert-xlm-advisory/cve-2022-24446/
https://www.manageengine.com/key-manager/release-notes.html#6200
https://excellium-services.com/cert-xlm-advisory/cve-2022-24446/
https://www.manageengine.com/key-manager/release-notes.html#6200