usd-2021-0015 | Password Manager Pro
Advisory ID: usd-2021-0015
CVE Number: CVE-2021-33617
Affected Product: Password Manager Pro
Affected Version: < Version 11.2 Build 11200 (Major)
Vulnerability Type: User Enumeration (CWE-203: Observable Discrepancy)
Security Risk: Low
Vendor URL: https://www.manageengine.com/products/passwordmanagerpro/
Vendor Status: Fixed
The ManageEngine Password Manager Pro web application allows the determination of valid logon names. This can be achieved by passing either an existing or non-existing user name to the application and view its corresponding response.
User Enumeration vulnerabilities occur if observable discrepancies of an application’s behavior allow to determine whether an user account is existent within an application. Such vulnerabilities can be often exploited to generate a list of valid logon names, potentially acting as foothold for further attacks.
The Password Manager Pro exposes an endpoint that enables an unauthenticated malicious actor to determine whether an userName is existent within the application.
Proof of Concept (PoC)
The Password Manager Pro exposes an endpoint that responds with different contents if a userName parameter at https://example.com/login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName=[VALUE] holds an existing user name or not.
1. Non-existent user: https://example.com/login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName=non.existent
It is recommended to use generic error messages that do not allow to draw conclusions about logon names.
- 2021-04-01: This vulnerability was identified by Marcus Nilsson.
- 2021-04-15: Advisory submitted to vendor via e-mail.
- 2021-05-28: CVE-2021-33617 is assigned
- 2021-07-07: Security fix is released with Version 11.2 Build 11200: „A user enumeration issue has been fixed“.
- 2021-07-30: Security advisory released by usd AG.
This security vulnerability was found by Marcus Nilsson of usd AG.