CVE-2019-19475

Published: Jan 10, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrary command to escalate and gain full system privilege user access and rights over the system.

Affected (1)

Products: Zohocorp: Manageengine Applications Manager

1 product

Manageengine Applications Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zohocorp Manageengine Applications Manager	Version 14.3 14360

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (2)

https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-19475.html

Source: cve@mitre.org

Vendor Advisory

https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-19475.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.