CVE-2019-8394
Published: 17 February 2019
Summary
CVE-2019-8394 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Zohocorp Manageengine Servicedesk Plus. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
Zoho ManageEngine ServiceDesk Plus (SDP) versions prior to 10.0 build 10012 contain an unrestricted file upload vulnerability, tracked as CVE-2019-8394 and assigned CWE-434. The flaw resides in the login page customization feature, which fails to properly validate or restrict uploaded file types, allowing arbitrary files to be placed on the server.
Attackers with authenticated low-privileged access can exploit the issue remotely over the network to upload malicious files, resulting in high integrity impact without affecting confidentiality or availability. Public exploit code for this vector has been published on Exploit-DB.
The vendor advisory and release notes at manageengine.com indicate that upgrading to version 10.0 build 10012 or later resolves the weakness by correcting the file handling logic in the customization workflow.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-17784
Vulnerability details
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of uploaded file content and types, blocking the unrestricted arbitrary-file upload in the login-page customization feature.
Enforces access restrictions on configuration changes, limiting which authenticated users can perform login-page customization uploads.
Restricts low-privileged accounts from accessing or exercising the customization function that leads to arbitrary file placement.