CVE-2023-26601: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

A denial-of-service vulnerability was identified in multiple Zoho ManageEngine products, including ServiceDesk Plus (through version 14104), Asset Explorer (through version 6987), ServiceDesk Plus MSP (before version 14000), and Support Center Plus (before version 14000). The vulnerability was discovered by Piotr Bazydlo of Trend Micro Zero Day Initiative and was officially reported on November 21, 2022, with fixes released starting January 24, 2023 (ManageEngine Advisory, ZDI Advisory).

The vulnerability exists within the ImageUploadServlet component and stems from improper input validation. The flaw allows attackers to exploit the way an API method allocates memory by sending a small image file with a large size defined in the header. The vulnerability has been assigned a CVSS score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating medium severity with network attack vector, low attack complexity, and requiring low privileges (ZDI Advisory).

When successfully exploited, this vulnerability can cause the application to crash or become unresponsive, resulting in users being unable to access the application. The impact is primarily focused on service availability, with no direct effect on confidentiality or integrity (ManageEngine Advisory).

ManageEngine has released fixes for all affected products: ServiceDesk Plus version 14104 (released January 24, 2023), ServiceDesk Plus MSP version 14001 (released February 16, 2023), SupportCenter Plus version 14001 (released February 20, 2023), and AssetExplorer version 6988 (released January 24, 2023). The fix includes implementation of limits for image pixel size and type validation for parameters. Users are advised to upgrade to these versions by downloading and applying the latest upgrade packs from the respective product pages (ManageEngine Advisory).