CVE-2021-37415

CVSS V2 High 7.5 CVSS V3 Critical 9.8
Description
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
Overview
  • CVE ID
  • CVE-2021-37415
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2021-09-01T06:15:06
  • Last Modified Date
  • 2022-07-12T17:42:04
Weakness Enumerations
CWE URL
CWE-306 http://cwe.mitre.org/data/definitions/306.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11005:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11006:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11007:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11008:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11009:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11010:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11011:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:-:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11100:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11101:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11102:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11103:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11104:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11105:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11106:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11107:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11108:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11109:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11110:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11111:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11112:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11113:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11114:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11115:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11116:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11117:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11118:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11119:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11120:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11121:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11122:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11123:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11124:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11125:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11126:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11127:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11128:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11129:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11130:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11131:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11132:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11133:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11134:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11135:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11136:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11137:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11138:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11139:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11140:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11141:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11142:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11143:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11144:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:-:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11200:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11201:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11202:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11203:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11204:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11205:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11206:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11207:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:-:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11300:*:*:*:*:*:* 1 OR
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11301:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 7.5
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.4
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 9.8
  • Base Severity
  • CRITICAL
  • Exploitability Score
  • 3.9
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://www.manageengine.com Vendor Advisory
https://www.manageengine.com/products/service-desk/on-premises/readme.html#11302 Vendor Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2021-37415
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37415
History
Created Old Value New Value Data Type Notes
2022-05-10 06:43:32 Added to TrackCVE
2022-12-05 09:24:49 2021-09-01T06:15Z 2021-09-01T06:15:06 CVE Published Date updated
2022-12-05 09:24:49 2022-07-12T17:42:04 CVE Modified Date updated
2022-12-05 09:24:49 Analyzed Vulnerability Status updated