CISA KEV 정보
| 취약점명 | Zoho ManageEngine Desktop Central File Upload Vulnerability |
|---|---|
| 설명 | Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution. |
| 조치사항 | Apply updates per vendor instructions. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-502 |
| 등록일 (KEV) | 2021-11-03 |
| 조치 기한 | 2022-05-03 |
| 추가 참고 | https://nvd.nist.gov/vuln/detail/CVE-2020-10189 |
NVD 상세 정보
CVSS v3.1: 9.8 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVSS v3.0: 9.8 CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVSS v2.0: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C설명: Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
CWE: CWE-502 | CWE-502
참조
- http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html [Exploit, Third Party Advisory, VDB Entry]
- https://cwe.mitre.org/data/definitions/502.html [Third Party Advisory]
- https://srcincite.io/advisories/src-2020-0011/ [Exploit, Third Party Advisory]
- https://srcincite.io/pocs/src-2020-0011.py.txt [Exploit, Third Party Advisory]
- https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html [Vendor Advisory]
- https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/ [Third Party Advisory]
- http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html [Exploit, Third Party Advisory, VDB Entry]
- https://cwe.mitre.org/data/definitions/502.html [Third Party Advisory]
- https://srcincite.io/advisories/src-2020-0011/ [Exploit, Third Party Advisory]
- https://srcincite.io/pocs/src-2020-0011.py.txt [Exploit, Third Party Advisory]
- https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html [Vendor Advisory]
- https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/ [Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10189 [US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.