CVE-2014-7864 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	4.48%	–	–
2022-02-13	–	–	2.18%	–	–
2022-03-13	–	–	2.18%	–	–
2022-04-03	–	–	2.18%	–	–
2022-06-26	–	–	2.18%	–	–
2023-02-26	–	–	2.18%	–	–
2023-03-12	–	–	–	95.32%	–
2023-04-09	–	–	–	94.02%	–
2023-05-07	–	–	–	93.08%	–
2024-01-14	–	–	–	91.88%	–
2024-04-21	–	–	–	90.34%	–
2024-06-02	–	–	–	90.34%	–
2024-08-04	–	–	–	88.15%	–
2024-09-22	–	–	–	86.61%	–
2024-12-22	–	–	–	35.4%	–
2025-02-02	–	–	–	34.58%	–
2025-01-19	–	–	–	35.4%	–
2025-02-02	–	–	–	34.58%	–
2025-03-18	–	–	–	–	29.08%
2025-03-30	–	–	–	–	20.95%
2025-04-13	–	–	–	–	35.54%
2025-04-13	–	–	–	–	35.54,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	71%
2022-02-13	58%
2022-03-13	59%
2022-04-03	79%
2022-06-26	8%
2023-02-26	81%
2023-03-12	99%
2023-04-09	99%
2023-05-07	99%
2024-01-14	99%
2024-04-21	99%
2024-06-02	99%
2024-08-04	99%
2024-09-22	99%
2024-12-22	97%
2025-02-02	97%
2025-01-19	97%
2025-02-02	97%
2025-03-18	96%
2025-03-30	95%
2025-04-13	97%
2025-04-13	97%

>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ========================================================================== Disclosure: 28/01/2015 / Last updated: 09/02/2015 >> Background on the affected products: "ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation." "ManageEngine Applications Manager is a comprehensive application monitoring software used to monitor heterogeneous business applications such as web applications, application servers, web servers, databases, network services, systems, virtual systems, cloud resources, etc. It provides remote business management to the applications or resources in the network. It is a powerful tool for system and network administrators, helping them monitor any number of applications or services running in the network without much manual effort." "Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration." >> Technical details: The affected servlet is the "FailOverHelperServlet" (affectionately called FailServlet). There are definitely more vulnerabilities than the ones identified below - for example it is possible to hijack the failover operation completely. The ones listed below as the easy ones to find and exploit. #1 Vulnerability: Arbitrary file download CVE-2014-7863 Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360 Affected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5 POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini #2 Vulnerability: Information disclosure - list all files in a directory and its children CVE-2014-7863 (same as #1) Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360 Affected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5 POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\ #3 Vulnerability: Blind SQL injection CVE-2014-7864 Affected versions: ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5 Constraints: unauthenticated in OpManager; authenticated in IT360 POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2] POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a >> Fix: For Applications Manager, upgrade to version 11.9 b11912. For OpManager, install the patch for v11.4 and 11.5: https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet Version 11.6 will be released with the patch. These vulnerabilities remain UNFIXED in IT360. ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>