CVE-2022-40772

Vulnerability

CVE-2022-40772 is a validation bypass vulnerability in Zoho ManageEngine ServiceDesk Plus versions 13010 and prior. The flaw resides in the report module, where an adversary can use a specific PostgreSQL function within a query to bypass the intended validation mechanism and access restricted data. Affected products include ServiceDesk Plus (up to version 13010, fixed in 14001), ServiceDesk Plus MSP (up to version 10608, fixed in 10609), SupportCenter Plus (up to version 11024, fixed in 11025), and AssetExplorer (up to version 6980, fixed in 6981) [1][2].

Exploitation

An attacker must have authenticated access to the report module and the ability to craft custom queries. By injecting a particular PostgreSQL function into a report query, the attacker can bypass the validation logic that normally restricts access to certain database entries. No special network position or additional privileges are required beyond report query access [2].

Impact

Successful exploitation allows the attacker to read restricted data from the underlying PostgreSQL database. This can include sensitive information that should be hidden from users with report query access, leading to unauthorized information disclosure and potential escalation of access to other system data [2].

Mitigation

Zoho released fixed versions on the dates indicated: ServiceDesk Plus 14001 on October 14, 2022; ServiceDesk Plus MSP 10609 on September 26, 2022; SupportCenter Plus 11025 on October 13, 2022; and AssetExplorer 6981 on October 13, 2022. Users should upgrade to these or later builds. No workarounds are documented; upgrading is the only mitigation [2].