CVE-2021-40539

CVSS V2 High 7.5 CVSS V3 Critical 9.8

Description

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Overview

CVE ID
CVE-2021-40539

Assigner
cve@mitre.org

Vulnerability Status
Analyzed

Published Version
2021-09-07T17:15:07

Last Modified Date
2021-11-29T17:18:58

Weakness Enumerations

CWE	URL
CWE-287	http://cwe.mitre.org/data/definitions/287.html

CPE Configuration (Product)

CPE	Vulnerable	Operator
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4510::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4511::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4520::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4522::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4531::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4540::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4543::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4544::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4550::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4560::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4570::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4571::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4572::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4580::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4590::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4591::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4592::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5000::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5001::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5002::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5010::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5011::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5020::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5021::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5022::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5030::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5032::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5040::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5041::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0.6:::::::*	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5100::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5101::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5102::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5103::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5104::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5105::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5106::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5107::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5108::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5109::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5110::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5111::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5112::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5113::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5114::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5115::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5116::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5200::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5201::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5202::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5203::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5204::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5205::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5206::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5207::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5300::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5301::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5302::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5303::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5304::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5305::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5306::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5307::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5308::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5309::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5310::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5311::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5312::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5313::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5314::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5315::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5316::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5317::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5318::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5319::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5320::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5321::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5322::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5323::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5324::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5325::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5326::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5327::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5328::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5329::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5330::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.4:5400::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:-::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5500::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5501::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5502::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5503::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5504::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5505::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5506::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5507::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5508::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5509::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5510::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5511::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5512::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5513::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5514::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5515::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5516::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5517::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5518::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5519::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5520::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5521::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5600::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5601::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5602::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5603::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5604::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5605::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5606::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5607::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5607::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5700::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5701::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5702::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5703::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5704::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5705::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5706::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5707::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5708::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5709::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5710::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:-::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5800::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5801::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5802::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5803::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5804::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5805::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5806::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5807::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5808::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5809::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5810::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5811::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5812::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5813::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5814::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5815::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5816::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:-::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6000::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6001::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6002::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6003::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6004::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6005::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6006::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6007::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6008::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6009::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6012::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6013::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:-::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6100::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6101::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6102::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6103::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6104::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6105::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6106::::::	1	OR
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6113::::::	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector
NETWORK

Access Compatibility
LOW

Authentication
NONE

Confidentiality Impact
PARTIAL

Integrity Impact
PARTIAL

Availability Impact
PARTIAL

Base Score
7.5

Severity
HIGH

Exploitability Score
10

Impact Score
6.4

CVSS Version 3

Version
3.1

Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NETWORK

Attack Compatibility
LOW

Privileges Required
NONE

User Interaction
NONE

Scope
UNCHANGED

Confidentiality Impact
HIGH

Availability Impact
HIGH

Base Score
9.8

Base Severity
CRITICAL

Exploitability Score
3.9

Impact Score
5.9

References

Reference URL	Reference Tags
https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html	Patch Vendor Advisory
https://www.manageengine.com	Vendor Advisory
http://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html	Exploit Third Party Advisory VDB Entry

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2021-40539
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 06:44:40				Added to TrackCVE
2022-12-05 09:46:02	2021-09-07T17:15Z	2021-09-07T17:15:07	CVE Published Date	updated
2022-12-05 09:46:02		2021-11-29T17:18:58	CVE Modified Date	updated
2022-12-05 09:46:02		Analyzed	Vulnerability Status	updated