CVE-2016-9489
Vulnerability from cvelistv5
Published
2018-07-13 20:00
Modified
2024-08-06 02:50
Severity ?
Summary
In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.
References
cret@cert.orghttp://seclists.org/fulldisclosure/2017/Apr/9Mailing List, Third Party Advisory
cret@cert.orghttps://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.htmlVendor Advisory
cret@cert.orghttps://www.securityfocus.com/bid/97394/Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2017/Apr/9Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.securityfocus.com/bid/97394/Third Party Advisory, VDB Entry
Impacted products
Vendor Product Version
ManageEngine Applications Manager Version: 12
Version: 13
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:50:38.431Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html"
          },
          {
            "name": "20170404 ManageEngine Applications Manager Multiple Vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2017/Apr/9"
          },
          {
            "name": "97394",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "https://www.securityfocus.com/bid/97394/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Applications Manager",
          "vendor": "ManageEngine",
          "versions": [
            {
              "status": "affected",
              "version": "12"
            },
            {
              "status": "affected",
              "version": "13"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to Lukasz Juszczyk for reporting this vulnerability."
        }
      ],
      "datePublic": "2017-04-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like \"ADMIN\". A user is also able to change properties of another user, e.g. change another user\u0027s password."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-08-06T20:57:01",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html"
        },
        {
          "name": "20170404 ManageEngine Applications Manager Multiple Vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2017/Apr/9"
        },
        {
          "name": "97394",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "https://www.securityfocus.com/bid/97394/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "ManageEngine Applications Manager 12 and 13 is vulnerable to privilege escalation and authentication bypass",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2016-9489",
          "STATE": "PUBLIC",
          "TITLE": "ManageEngine Applications Manager 12 and 13 is vulnerable to privilege escalation and authentication bypass"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Applications Manager",
                      "version": {
                        "version_data": [
                          {
                            "affected": "=",
                            "version_affected": "=",
                            "version_name": "12",
                            "version_value": "12"
                          },
                          {
                            "affected": "=",
                            "version_affected": "=",
                            "version_name": "13",
                            "version_value": "13"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ManageEngine"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to Lukasz Juszczyk for reporting this vulnerability."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like \"ADMIN\". A user is also able to change properties of another user, e.g. change another user\u0027s password."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-269"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html",
              "refsource": "CONFIRM",
              "url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html"
            },
            {
              "name": "20170404 ManageEngine Applications Manager Multiple Vulnerabilities",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2017/Apr/9"
            },
            {
              "name": "97394",
              "refsource": "BID",
              "url": "https://www.securityfocus.com/bid/97394/"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2016-9489",
    "datePublished": "2018-07-13T20:00:00",
    "dateReserved": "2016-11-21T00:00:00",
    "dateUpdated": "2024-08-06T02:50:38.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2016-9489\",\"sourceIdentifier\":\"cret@cert.org\",\"published\":\"2018-07-13T20:29:01.550\",\"lastModified\":\"2024-11-21T03:01:18.870\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like \\\"ADMIN\\\". A user is also able to change properties of another user, e.g. change another user\u0027s password.\"},{\"lang\":\"es\",\"value\":\"En ManageEngine Applications Manager 12 y 13, antes de la build 13200, un usuario autenticado puede alterar todas sus propiedades, incluyendo su propio grupo; p. ej., cambiando su grupo a otro con mayores privilegios como \\\"ADMIN\\\". Un usuario tambi\u00e9n puede cambiar las propiedades de otro usuario, p. ej., cambiando la contrase\u00f1a de otro usuario.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cret@cert.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-255\"},{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:12.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"627D0D5D-1B83-4480-BE43-5D1F1D95F563\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_applications_manager:13.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"69BC473D-B091-41C9-8C0F-D397B16F0042\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/fulldisclosure/2017/Apr/9\",\"source\":\"cret@cert.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html\",\"source\":\"cret@cert.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.securityfocus.com/bid/97394/\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2017/Apr/9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.securityfocus.com/bid/97394/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.