CVE-2024-21887 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Ivanti Connect Secure and Policy Secure Command Injection Vulnerability

Exploit added

January 10, 2024

Action due

January 22, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-77	Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Known Affected Software Configurations

cpe:2.3:a:ivanti:connect_secure:9.0:rx::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r4.0::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r2.0::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r1.0::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3.0::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r1::::::
cpe:2.3:a:ivanti:policy_secure:9.0:-::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r3::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r4::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r2.1::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r2::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r3.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r15.2::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r2.1::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3.1::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r2::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r6.0::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r1::::::
cpe:2.3:a:ivanti:connect_secure:22.6:r2::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3.3::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r5.0::::::
cpe:2.3:a:ivanti:connect_secure:22.6:r1::::::
cpe:2.3:a:ivanti:connect_secure:9.0:-::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r4::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3.5::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3.2::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r4.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r11.4::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r12.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r9.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r12::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r17::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r13.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r13::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r14::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r2::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r11::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r18::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r11.5::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r17.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r4.2::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r3::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r4::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r5::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r6::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r4.3::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r8.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r8.2::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r8::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r7::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r10::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r9::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r4.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r11.3::::::
cpe:2.3:a:ivanti:policy_secure:22.2:r3::::::
cpe:2.3:a:ivanti:policy_secure:22.3:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.3:r3::::::
cpe:2.3:a:ivanti:policy_secure:22.4:r2.1::::::
cpe:2.3:a:ivanti:policy_secure:22.4:r2::::::
cpe:2.3:a:ivanti:policy_secure:22.5:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.5:r2.1::::::
cpe:2.3:a:ivanti:policy_secure:22.6:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.4:r1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r10::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r11::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r12::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r13::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r4.2::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r9::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r14::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r17::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r18::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r2::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r3.1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r3::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r4.1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r8::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r13.1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r4::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r5::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r6::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r8.2::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r8.1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r7::::::
cpe:2.3:a:ivanti:policy_secure:22.1:r6::::::
cpe:2.3:a:ivanti:connect_secure:22.6:-::::::
cpe:2.3:a:ivanti:connect_secure:22.5:r2.1::::::
cpe:2.3:a:ivanti:connect_secure:22.1:r6::::::
cpe:2.3:a:ivanti:connect_secure:22.3:r1::::::
cpe:2.3:a:ivanti:connect_secure:22.4:r1::::::
cpe:2.3:a:ivanti:connect_secure:22.4:r2.1::::::
cpe:2.3:a:ivanti:connect_secure:22.2:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.2:r1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r15::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r16.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r16::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r15::::::

Details

Source:
NVD

Published:
January 12, 2024

Updated:
June 10, 2024

Risk information

CVSS v3

Base score:
9.1

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v2

Not defined