CVE-2019-19034: OS Command Injection
First published: Mon Mar 23 2020(Updated: )
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zohocorp Manageengine Assetexplorer | =6.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-19034?
CVE-2019-19034 is a vulnerability in Zoho ManageEngine Asset Explorer 6.5 that allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.
How severe is CVE-2019-19034?
CVE-2019-19034 has a severity rating of 7.2 (high).
How does CVE-2019-19034 work?
CVE-2019-19034 occurs due to a lack of validation in the System Center Configuration Manager (SCCM) database username when scheduling scans for SCCM. This allows an attacker to execute arbitrary commands.
Which version of Zoho ManageEngine Asset Explorer is affected?
Zoho ManageEngine Asset Explorer 6.5 is affected by CVE-2019-19034.
Is there a fix available for CVE-2019-19034?
Yes, it is recommended to update to the latest version of Zoho ManageEngine Asset Explorer to fix CVE-2019-19034.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/zohocorp
- canonical/zohocorp manageengine assetexplorer
- version/zohocorp manageengine assetexplorer/6.5