CVE-2021-37419: 
Zoho ManageEngine ADManager Plus vulnerability analysis and mitigation

Zoho ManageEngine ADSelfService Plus versions before 6112 were found to be vulnerable to Server-Side Request Forgery (SSRF). The vulnerability, tracked as CVE-2021-37419, was discovered in 2021 and affects the high availability environment of the application (STM Cyber Blog, NVD).

The vulnerability exists in the /servlet/ADSHACluster endpoint and allows attackers to conduct SSRF attacks without authentication by sending specially crafted POST requests. The CVSS v3.1 base score is 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerability specifically affects the high availability setup of ADSelfService Plus, where attackers can send POST requests from the primary server to arbitrary destinations (STM Cyber Blog, NVD).

The vulnerability allows attackers to send POST requests to any address and endpoint, with the ability to provide custom parameters in the POST request body. These requests can be sent via HTTPS protocol only, potentially leading to unauthorized access to internal resources and data exposure (STM Cyber Blog).

The vulnerability was fixed in ManageEngine ADSelfService Plus build 6112. The fix includes proper sanitization of data provided in the haAuthKey and MASTERSERVERURL JSON parameters. Organizations are advised to upgrade to version 6112 or later to address this vulnerability (ManageEngine).