CVE-2022-29081
Published: 28 April 2022
Summary
CVE-2022-29081 is a critical-severity Path Traversal (CWE-22) vulnerability in Zohocorp Manageengine Password Manager Pro. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Zoho ManageEngine Access Manager Plus before version 4302, Password Manager Pro before 12007, and PAM360 before 5401 contain an access-control bypass vulnerability on several REST API endpoints including SSOutAction, SSLAction, LicenseMgr, GetProductDetails, GetDashboard, FetchEvents, and Synchronize. The flaw, tracked as CWE-22, is triggered when an attacker supplies the ../RestAPI substring in requests to those URLs, allowing unauthorized access despite the products' intended controls. The issue carries a CVSS 3.1 score of 9.8 reflecting network-accessible exploitation with no required credentials or user interaction.
An unauthenticated remote attacker can leverage the bypass to reach restricted functionality on the affected REST endpoints, resulting in full compromise of confidentiality, integrity, and availability of the privileged-access management systems.
Vendor advisories at the referenced ManageEngine and Tenable URLs describe the affected builds and direct administrators to apply the fixed releases (Access Manager Plus 4302, Password Manager Pro 12007, and PAM360 5401) to close the exposure. The associated EPSS score stands at 0.8803 with no material post-disclosure climb from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33492
Vulnerability details
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.