CVE-2022-24446 | Cyber Solutions By Thales

Abstract Advisory Information

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user can see all SSH servers (and user information) even if no SSH server or user is associated with them.

Author: Dominique Righetto

Version affected

Name: Zoho ManageEngine Key Manager

Versions: 6.1.6

Common Vulnerability Scoring System

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Patches

Version 6200

References

https://www.manageengine.com/key-manager/download.html

Vulnerability Disclosure Timeline

09/01/2022: Vulnerability discovery
10/01/2022: Vulnerability Report to CERT-XLM
11/01/2022: Vulnerability Report to Vendor through bug bounty platform
11/01/2022: Acknowledge from vendor
31/01/2022: Vulnerability fixed
04/02/2022: Request CVE IDs to Mitre
04/02/2022: CVE IDs assigned CVE-2022-24446
21/02/2022: Vulnerability disclosure