CVE CVE

CVE-2023-46805

CISA Known Exploited Vulnerability (KEV)

Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability

January 10, 2024

January 22, 2024

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Weakness Enumeration

CWE-ID CWE Name

CWE-287
Improper Authentication

Known Affected Software Configurations


cpe:2.3:a:ivanti:connect_secure:9.0:rx:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r4.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r2.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r1.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:-:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r4:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.0:r3.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r15.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r6.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.6:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.3:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r5.0:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.6:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r4:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.5:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r3.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.0:r4.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r11.4:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r12.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r9.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r12:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r17:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r13.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r13:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r14:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r11:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r18:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r11.5:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r17.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r8.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r8.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r8:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r10:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r9:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.2:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.3:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.3:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.4:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.4:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.5:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.5:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.6:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.4:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r10:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r11:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r12:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r13:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r4.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r9:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r14:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r17:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r18:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r3.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r3:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r4.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r8:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r13.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r4:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r5:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r6:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r8.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r8.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r7:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.1:r6:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.6:-:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.5:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.1:r6:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.3:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.4:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.4:r2.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.2:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.2:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r15:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r16.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:9.1:r16:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:9.1:r15:*:*:*:*:*:*

Details

Source:
NVD
Published:
Updated:

Risk information

CVSS v3

Base score:
8.2
Severity:

HIGH

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v2

Not defined