Cyber Resilience

CVE-2024-27310

Medium

Published: 27 May 2024

Published
27 May 2024
Modified
27 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0579 90.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27310 is a medium-severity LDAP Injection (CWE-90) vulnerability in Zohocorp Manageengine Adselfservice Plus. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Zoho ManageEngine ADSelfService Plus versions below 6401 contain a denial-of-service vulnerability triggered by malicious LDAP input. The flaw is tracked as CVE-2024-27310 with a CVSS 3.1 score of 5.3 and is associated with CWE-90 LDAP injection, allowing an attacker to supply crafted input that the application fails to neutralize properly before processing.

An unauthenticated remote attacker can exploit the issue over the network with low complexity by sending specially formed LDAP data, resulting in a denial-of-service condition that affects availability while leaving confidentiality and integrity untouched.

The vendor advisory published at https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-27310.html states that the issue is resolved by upgrading to ADSelfService Plus version 6401 or later. The associated EPSS score has remained flat at 0.0579 with no material increase since disclosure.

EU & UK References

Vulnerability details

Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zohocorp
manageengine adselfservice plus
6.4 · ≤ 6.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References