CVE-2023-47211
Published: 08 January 2024
Summary
CVE-2023-47211 is a critical-severity Path Traversal (CWE-22) vulnerability in Zohocorp Manageengine Opmanager. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. The flaw, tracked as CWE-22, allows a specially crafted HTTP request containing a malicious MIB file to result in arbitrary file creation on the affected system. The issue carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low complexity, and required low privileges with changed scope.
An authenticated attacker can send the malicious request remotely to write files outside intended directories. Successful exploitation can lead to high-impact outcomes on confidentiality along with limited integrity and availability effects on the target installation.
Public advisories from ManageEngine and detailed analysis from Cisco Talos are available at the referenced URLs and address the reported issue.
The CVE shows an EPSS score that has reached a peak of 0.8406 with a current value of 0.7615, indicating notable exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-51343
Vulnerability details
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.