CVE-2022-24305
Published: 02 March 2022
Summary
CVE-2022-24305 is a critical-severity an unspecified weakness vulnerability in Zohocorp Manageengine Sharepoint Manager Plus. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine SharePoint Manager Plus versions prior to 4329 contain a sensitive data leak vulnerability that can be leveraged for privilege escalation. The affected component is the SharePoint management and reporting application, which exposes internal information without requiring authentication or user interaction.
Remote attackers can exploit the flaw over the network to obtain sensitive data and escalate privileges to administrative levels within the product. The CVSS 9.8 rating reflects the absence of required credentials and the potential for complete confidentiality, integrity, and availability impact on the affected installation.
The vendor's release notes for build 4329 address the issue and indicate that upgrading to this version or later resolves the data leak. No other specific configuration workarounds are documented in the available references.
The EPSS score has remained steady at 0.1309 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29203
Vulnerability details
Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.