CVE-2022-48362: 
Zoho ManageEngine Desktop Central Server vulnerability analysis and mitigation

CVE-2022-48362 affects Zoho ManageEngine Desktop Central and Desktop Central MSP versions before 10.1.2137.2. The vulnerability allows directory traversal via computerName parameter to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. The attacker could authenticate by exploiting CVE-2021-44515 (MITRE, ManageEngine).

The vulnerability exists in the AgentLogUploadServlet which processes file uploads. The servlet fails to properly validate the computerName parameter, allowing directory traversal. An attacker can manipulate this parameter to write files outside the intended directory. The vulnerability specifically allows uploading files with .zip, .7z, or .gz extensions. When combined with CVE-2021-44515 for authentication bypass, an attacker could upload malicious code that gets executed upon server restart (SrcIncite).

The vulnerability allows authenticated attackers to upload arbitrary code to the server. When the server is restarted, this code would be executed, potentially leading to remote code execution and full system compromise. The impact is particularly severe when chained with authentication bypass vulnerabilities like CVE-2021-44515 (MITRE).

The vulnerability has been fixed in version 10.1.2137.2 by implementing enhanced file path validation. Organizations should upgrade to this version or later to protect against this vulnerability. The fix includes additional checks in the AgentLogUploadServlet to prevent directory traversal attacks (ManageEngine).