CVE-2021-20148 : Security Advisory and Response

This CVE involves a security issue in ManageEngine ADSelfService Plus. An attacker could potentially access the password policy file of one domain while authenticating to the service with another domain. Below build 6116 of the software is affected.

Understanding CVE-2021-20148

This section will cover the details and impact of CVE-2021-20148.

What is CVE-2021-20148?

CVE-2021-20148 is a vulnerability found in ManageEngine ADSelfService Plus where the password policy file for each domain is stored under the web root, allowing unauthorized access between domains.

The Impact of CVE-2021-20148

The vulnerability permits a user from one domain to retrieve the password policy file of another domain by exploiting the predictable filename structure.

Technical Details of CVE-2021-20148

In this section, we will delve into the technical aspects of the vulnerability.

Vulnerability Description

ManageEngine ADSelfService Plus versions below build 6116 suffer from the insecure storage of password policy files, enabling cross-domain access.

Affected Systems and Versions

The vulnerability affects ManageEngine ADSelfService Plus versions prior to build 6116.

Exploitation Mechanism

By leveraging the predictable filename of password policy files, an attacker can authenticate with one domain and access the password policy of another domain.

Mitigation and Prevention

Here we provide essential steps to address and prevent exploitation of CVE-2021-20148.

Immediate Steps to Take

Users should update ManageEngine ADSelfService Plus to a version beyond build 6116 to mitigate the vulnerability.

Long-Term Security Practices

Employ secure coding practices to avoid storing sensitive data in predictable locations under the web root.

Patching and Updates

Regularly apply patches and updates provided by the vendor to prevent security breaches.