CVE-2024-22023NULL Pointer Dereference in Ivanti Connect Secure

CWE-476NULL Pointer DereferenceCWE-703Improper Check or Handling of Exceptional Conditions3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.7%
top 27.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ivanti Connect SecureIvanti Policy Secure
Timeline
PublishedApr 4

Description

An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

CVEListV5ivanti/policy_secure22.4R1.222.4R1.2+5
CVEListV5ivanti/connect_secure22.1R6.222.1R6.2+12
NVDivanti/policy_secure8 versions+7
NVDivanti/connect_secure7 versions+6

🔴Vulnerability Details

2
CVEList
CVE-2024-22023: An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (92024-04-04
GHSA
GHSA-mfj7-pc34-cqm8: An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (92024-04-04
CVE-2024-22023 — NULL Pointer Dereference in Ivanti | cvebase