CVE-2024-27310
Published: 27 May 2024
Summary
CVE-2024-27310 is a medium-severity LDAP Injection (CWE-90) vulnerability in Zohocorp Manageengine Adselfservice Plus. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Zoho ManageEngine ADSelfService Plus versions below 6401 contain a denial-of-service vulnerability triggered by malicious LDAP input. The flaw is tracked as CVE-2024-27310 with a CVSS 3.1 score of 5.3 and is associated with CWE-90 LDAP injection, allowing an attacker to supply crafted input that the application fails to neutralize properly before processing.
An unauthenticated remote attacker can exploit the issue over the network with low complexity by sending specially formed LDAP data, resulting in a denial-of-service condition that affects availability while leaving confidentiality and integrity untouched.
The vendor advisory published at https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-27310.html states that the issue is resolved by upgrading to ADSelfService Plus version 6401 or later. The associated EPSS score has remained flat at 0.0579 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24526
Vulnerability details
Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.