CVE-2021-20147: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This vulnerability (CVE-2021-20147) was discovered in August 2021 and allows an unauthenticated remote attacker to determine whether a Windows domain user exists (Tenable Advisory).

The vulnerability has a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-203 (Observable Discrepancy). An attacker can exploit this by first obtaining the configured domain list through the RestAPI/AuthenticationAPI endpoint, then using the RestAPI/ChangePasswordAPI endpoint to determine user existence based on HTTP response codes (Tenable Advisory).

The vulnerability allows attackers to enumerate valid Windows domain users without authentication. This information disclosure could be used as a stepping stone for further attacks by identifying valid user accounts in the domain (Tenable Advisory).

The vulnerability was fixed in ManageEngine ADSelfService Plus build 6116. Organizations should upgrade to this version or newer to remediate the vulnerability (Tenable Advisory).