CVE-2024-21893 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability

Exploit added

January 31, 2024

Action due

February 2, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

References

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Weakness Enumeration

CWE-ID	CWE Name
CWE-918	Server-Side Request Forgery (SSRF)

Known Affected Software Configurations

cpe:2.3:a:ivanti:neurons_for_zero-trust_access:-:::::::*
cpe:2.3:a:ivanti:policy_secure:9.1:r4.3::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r2.1::::::
cpe:2.3:a:ivanti:policy_secure:9.0:-::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r18.2::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r3.1::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r3::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r18.1::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:-::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r4::::::
cpe:2.3:a:ivanti:policy_secure:9.0:r2::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r2.1::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r5.0::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r2::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r15.2::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r4::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3.2::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r4.1::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3.3::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r18.1::::::
cpe:2.3:a:ivanti:connect_secure:22.6:r2.1::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r18.2::::::
cpe:2.3:a:ivanti:connect_secure:22.6:r1::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r6.0::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3.1::::::
cpe:2.3:a:ivanti:connect_secure:9.0:-::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r3.5::::::
cpe:2.3:a:ivanti:connect_secure:22.6:r2::::::
cpe:2.3:a:ivanti:connect_secure:9.0:r1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r12.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r13.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r12::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r13::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r14::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r3::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r18::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r4.3::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r2::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r4.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r5::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r6::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r10::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r7::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r4::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r8.2::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r17::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r11.4::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r9.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r8.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r11.3::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r8::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r17.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r11.5::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r9::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r4.2::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r11::::::
cpe:2.3:a:ivanti:policy_secure:22.2:r3::::::
cpe:2.3:a:ivanti:policy_secure:22.3:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.3:r3::::::
cpe:2.3:a:ivanti:policy_secure:22.4:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.4:r2.1::::::
cpe:2.3:a:ivanti:policy_secure:22.4:r2::::::
cpe:2.3:a:ivanti:policy_secure:22.5:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.6:r1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r9::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r10::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r11::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r12::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r13::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r8::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r8.2::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r14::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r17::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r8.1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r18::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r2::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r3.1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r13.1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r4.1::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r4.2::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r7::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r6::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r5::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r4::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r3::::::
cpe:2.3:a:ivanti:policy_secure:22.1:r6::::::
cpe:2.3:a:ivanti:connect_secure:22.6:-::::::
cpe:2.3:a:ivanti:connect_secure:22.4:r1::::::
cpe:2.3:a:ivanti:connect_secure:22.1:r6::::::
cpe:2.3:a:ivanti:connect_secure:22.4:r2.1::::::
cpe:2.3:a:ivanti:connect_secure:22.3:r1::::::
cpe:2.3:a:ivanti:policy_secure:22.2:r1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r15::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r16.1::::::
cpe:2.3:a:ivanti:connect_secure:9.1:r16::::::
cpe:2.3:a:ivanti:policy_secure:9.1:r15::::::

Details

Source:
NVD

Published:
January 31, 2024

Updated:
July 3, 2024

Risk information

CVSS v3

Base score:
8.2

Severity:

HIGH

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v2

Not defined