CVE Tools
Sign in

CVE-2021-20108

Published: Jul 19, 2021Updated: Nov 21, 2024 Sources: CVE List NVD BDUCWE-401
NVD MITRE
7.5CVSSHIGH
EPSS Score
3.0%
Top 14.6%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-401

Affected Products

ManageEngine AssetExplorerZOHO Corp.
Mixed
Enterprise Software / itsm-monitoring
Manage Engine Asset Explorer Agentn/a
manageengine assetexplorerzohocorp
On-premWeb App
Enterprise Software / itsm-monitoring
zoho corp.commercialINEnterprise Softwareaka zoho
zohocorpcommercialINEnterprise Softwareaka zoho corp, manageengine

Exploitability

Official Patch Available

References

https://nvd.nist.gov/vuln/detail/CVE-2021-20108
nvd.nist.gov
https://www.tenable.com/security/research/tra-2021-29
tenable.com

Timeline

Published
Jul 19, 2021
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2021-20108 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows