JVN#89726415: ManageEngine ServiceDesk Plus fails to restrict access permissions

Overview

ManageEngine ServiceDesk Plus provided by Zoho Corporation fails to restrict access permissions.

Products Affected

ManageEngine ServiceDesk Plus versions prior to 9.0

Description

ManageEngine ServiceDesk Plus provided by Zoho Corporation is a help desk software. ManageEngine ServiceDesk Plus fails to restrict access permissions.

Impact

A user logged in with guest privileges may access functions for which permissions are not granted.

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
Zoho Corporation	README for Version 9.0

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Base Score: 5.4

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:N

Base Score: 5.5

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

Akihito Mukai and Tomoshige Hasegawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2016-4889
JVN iPedia	JVNDB-2016-000170

JVN#89726415 ManageEngine ServiceDesk Plus fails to restrict access permissions