CVE-2023-6105 MEDIUM

CVE-2023-6105: ManageEngine Information Disclosure in Multiple Products

Vendor Manageengine
Product Service Desk Plus
Weakness CWE-200 · Info exposure
Published November 15, 2023
Last update February 13, 2025

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

Key dates

02Disclosure timeline

November 15, 2023 CVE published
February 13, 2025 Record updated