all InfoSec news
ManageEngine Information Disclosure
Tenable Research Advisories www.tenable.com
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.
An encryption key is stored in the "CryptTag" configuration in \conf\customer-config.xml.
The ManageEngine product database usernames and passwords can be found in …
access database decrypt disclosure encryption encryption keys exposed host information information disclosure information disclosure vulnerability key keys low manageengine passwords privileged product products result vulnerability