CVE-2022-24447 | Cyber Solutions By Thales

Abstract Advisory Information

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A service exposed by the application allows a user to access stored certificates and associated key pairs.

Author: Dominique Righetto

Version affected

Name: Zoho ManageEngine Key Manager

Versions: 6.1.6

Common Vulnerability Scoring System

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Patches

Version 6200

References

https://www.manageengine.com/key-manager/download.html

Vulnerability Disclosure Timeline

09/01/2022: Vulnerability discovery
10/01/2022: Vulnerability Report to CERT-XLM
11/01/2022: Vulnerability Report to Vendor through bug bounty platform
11/01/2022: Acknowledge from vendor
31/01/2022: Vulnerability fixed
04/02/2022: Request CVE IDs to Mitre
04/02/2022: CVE IDs assigned CVE-2022-24447
21/02/2022: Vulnerability disclosure