CVE CVE

CVE-2024-21887

CISA Known Exploited Vulnerability (KEV)

Ivanti Connect Secure and Policy Secure Command Injection Vulnerability

January 10, 2024

January 22, 2024

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Weakness Enumeration

CWE-ID CWE Name

CWE-77
Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Known Affected Software Configurations


cpe:2.3:a:ivanti:connect_secure:9.0:rx:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r4.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r2.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r1.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:-:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r4:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r3.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r15.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r6.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.6:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.3:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r5.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.6:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r4:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.5:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r4.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r11.4:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r12.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r9.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r12:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r17:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r13.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r13:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r14:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r11:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r18:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r11.5:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r17.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r8.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r8.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r8:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r10:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r9:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.2:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.3:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.3:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.4:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.4:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.5:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.5:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.6:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.4:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r10:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r11:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r12:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r13:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r4.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r9:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r14:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r17:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r18:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r3.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r4.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r8:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r13.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r4:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r5:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r6:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r8.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r8.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r7:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.1:r6:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.6:-:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.5:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.1:r6:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.3:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.4:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.4:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.2:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.2:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r15:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r16.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r16:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r15:*:*:*:*:*:*

Details

Source:
NVD
Published:
Updated:

Risk information

CVSS v3

Base score:
9.1
Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v2

Not defined