CVE-2022-29081

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

Published: Apr 28, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-29081
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_password_manager_pro	10.4-build10400	10.4-build10400.x
zohocorp / manageengine_password_manager_pro	10.4-build10402	10.4-build10402.x
zohocorp / manageengine_password_manager_pro	10.4-build10401	10.4-build10401.x
zohocorp / manageengine_password_manager_pro	10.3-build10301	10.3-build10301.x
zohocorp / manageengine_password_manager_pro	10.3-build10302	10.3-build10302.x
zohocorp / manageengine_password_manager_pro	10.3-build10300	10.3-build10300.x
zohocorp / manageengine_password_manager_pro	10.2-build10200	10.2-build10200.x
zohocorp / manageengine_password_manager_pro	10.1-build10103	10.1-build10103.x
zohocorp / manageengine_password_manager_pro	10.1-build10104	10.1-build10104.x
zohocorp / manageengine_password_manager_pro	11.1-build_11101	11.1-build_11101.x
zohocorp / manageengine_password_manager_pro	11.1-build_11102	11.1-build_11102.x
zohocorp / manageengine_password_manager_pro	11.1-build_11103	11.1-build_11103.x
zohocorp / manageengine_access_manager_plus	4.2-build4202	4.2-build4202.x
zohocorp / manageengine_access_manager_plus	4.2-build4201	4.2-build4201.x
zohocorp / manageengine_access_manager_plus	4.2-build4200	4.2-build4200.x
zohocorp / manageengine_pam360	5.3-build5302	5.3-build5302.x
zohocorp / manageengine_pam360	5.3-build5301	5.3-build5301.x
zohocorp / manageengine_pam360	5.3-build5300	5.3-build5300.x
zohocorp / manageengine_pam360	5.2-build5200	5.2-build5200.x
zohocorp / manageengine_pam360	5.1-build5100	5.1-build5100.x
zohocorp / manageengine_pam360	5.0-build5004	5.0-build5004.x
zohocorp / manageengine_pam360	5.0-build5003	5.0-build5003.x
zohocorp / manageengine_pam360	5.0-build5002	5.0-build5002.x
zohocorp / manageengine_pam360	5.0-build5001	5.0-build5001.x
zohocorp / manageengine_pam360	5.0-build5000	5.0-build5000.x
zohocorp / manageengine_pam360	4.5-build4500	4.5-build4500.x
zohocorp / manageengine_pam360	4.5-build4501	4.5-build4501.x
zohocorp / manageengine_pam360	4.1-build4100	4.1-build4100.x
zohocorp / manageengine_pam360	4.1-build4101	4.1-build4101.x
zohocorp / manageengine_pam360	4.0-build4001	4.0-build4001.x
zohocorp / manageengine_pam360	4.0-build4002	4.0-build4002.x
zohocorp / manageengine_access_manager_plus	4.1-build4100	4.1-build4100.x
zohocorp / manageengine_access_manager_plus	4.1-build4101	4.1-build4101.x
zohocorp / manageengine_pam360	5.4-build5400	5.4-build5400.x
zohocorp / manageengine_password_manager_pro	12.0-build12001	12.0-build12001.x
zohocorp / manageengine_password_manager_pro	12.0-build12002	12.0-build12002.x
zohocorp / manageengine_password_manager_pro	12.0-build12003	12.0-build12003.x
zohocorp / manageengine_password_manager_pro	12.0-build12004	12.0-build12004.x
zohocorp / manageengine_password_manager_pro	12.0-build12005	12.0-build12005.x
zohocorp / manageengine_password_manager_pro	12.0-build12006	12.0-build12006.x
zohocorp / manageengine_password_manager_pro	12.0-build12000	12.0-build12000.x
zohocorp / manageengine_password_manager_pro	11.3-build11300	11.3-build11300.x
zohocorp / manageengine_password_manager_pro	11.3-build11301	11.3-build11301.x
zohocorp / manageengine_password_manager_pro	11.1-11104	11.1-11104.x
zohocorp / manageengine_access_manager_plus	4.3-build4300	4.3-build4300.x
zohocorp / manageengine_access_manager_plus	4.3-build4301	4.3-build4301.x
zohocorp / manageengine_access_manager_plus	4.2-build4203	4.2-build4203.x
zohocorp / manageengine_access_manager_plus	4.0-build4000	4.0-build4000.x
zohocorp / manageengine_password_manager_pro	11.2-build11200	11.2-build11200.x
zohocorp / manageengine_password_manager_pro	11.2-build11201	11.2-build11201.x

Vulnerability Database

289,697

CVE-2022-29081