Vulnerability Details : CVE-2021-37415
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
Products affected by CVE-2021-37415
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11005:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11006:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11007:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11008:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11009:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11010:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11100:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11101:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11102:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11103:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11104:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11105:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11106:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11107:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11108:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11109:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11110:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11111:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11112:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11113:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11114:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11115:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11116:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11117:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11118:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11119:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11120:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11121:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11122:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11123:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11124:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11125:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11126:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11127:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11128:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11129:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11130:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11131:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11132:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11133:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11201:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11202:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11203:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11204:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11300:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.3:11301:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.0:11011:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11134:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11135:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11136:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11137:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11138:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11139:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11140:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11141:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11142:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11143:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.1:11144:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11200:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11205:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11206:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:11.2:11207:*:*:*:*:*:*
CVE-2021-37415 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2021-37415
Added on
2021-12-01
Action due date
2021-12-15
Exploit prediction scoring system (EPSS) score for CVE-2021-37415
93.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-37415
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-37415
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-37415
-
https://www.manageengine.com
ManageEngine - IT Operations and Service Management SoftwareProduct
-
https://www.manageengine.com/products/service-desk/on-premises/readme.html#11302
ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version / version historyRelease Notes
Jump to