CVE-2020-8422 - Vulnerability Details - OpenCVE

An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zohocorp	Manageengine Remote Access Plus

Configuration 1 [-]

cpe:2.3:a:zohocorp:manageengine_remote_access_plus:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-8422
https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422
https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/

History

Fri, 30 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
References		https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-8422

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-01-31T15:25:11.000Z

Updated: 2025-05-30T16:01:31.452Z

Reserved: 2020-01-28T00:00:00.000Z

Link: CVE-2020-8422

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-01-31T16:15:10.690

Modified: 2025-05-30T16:15:26.827

Link: CVE-2020-8422

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password)."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2025-05-30T16:01:31.452Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422"}, {"url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/"}, {"url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-8422"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8422", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password)."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422", "refsource": "MISC", "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422"}, {"name": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/", "refsource": "MISC", "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:56:28.332Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8422", "datePublished": "2020-01-31T15:25:11.000Z", "dateReserved": "2020-01-28T00:00:00.000Z", "dateUpdated": "2025-05-30T16:01:31.452Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_remote_access_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "96B06C9B-CE1F-44CC-9AEE-71CF30AF8AEA", "versionEndExcluding": "10.0.450", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection of all defined credentials of remote machines: the credential name, credential type, user name, domain/workgroup name, and description (but not the password)."}, {"lang": "es", "value": "Se detect\u00f3 un problema de autorizaci\u00f3n en la funcionalidad Credential Manager en Zoho ManageEngine Remote Access Plus versiones anteriores a 10.0.450. Un usuario con el rol Invitado puede extraer la colecci\u00f3n de todas las credenciales definidas de m\u00e1quinas remotas: el nombre de credencial, el tipo de credencial, el nombre de usuario, el nombre de dominio y grupo de trabajo y la descripci\u00f3n (pero no la contrase\u00f1a)."}], "id": "CVE-2020-8422", "lastModified": "2025-05-30T16:15:26.827", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-31T16:15:10.690", "references": [{"source": "cve@mitre.org", "url": "https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-8422"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://excellium-services.com/cert-xlm-advisory/CVE-2020-8422"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-8422/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}