CVE-2024-12058External Control of File Name or Path in Ivanti Connect Secure

CWE-73External Control of File Name or Path3 documents3 sources
Severity
4.9MEDIUMNVD
CNA6.8
EPSS
1.2%
top 20.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ivanti Connect SecureIvanti Policy Secure
Timeline
PublishedFeb 11

Description

External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDivanti/policy_secure< 22.7+1
NVDivanti/connect_secure< 22.7+1

🔴Vulnerability Details

2
CVEList
CVE-2024-12058: External control of a file name in Ivanti Connect Secure before version 222025-02-11
GHSA
GHSA-g8jx-gxq8-gg28: External control of a file name in Ivanti Connect Secure before version 222025-02-11
CVE-2024-12058 — External Control of File Name or Path | cvebase