CVE-2024-38655Argument Injection in Ivanti Connect Secure

CWE-88Argument Injection3 documents3 sources
Severity
7.2HIGHNVD
EPSS
14.5%
top 5.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ivanti Connect SecureIvanti Policy Secure
Timeline
PublishedNov 13

Description

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

CVEListV5ivanti/policy_secure22.7R1.122.7R1.1+1
NVDivanti/policy_secure< 22.7+1
CVEListV5ivanti/connect_secure22.7R2.122.7R2.1+1
NVDivanti/connect_secure< 22.7+1

🔴Vulnerability Details

2
CVEList
CVE-2024-38655: Argument injection in Ivanti Connect Secure before version 222024-11-13
GHSA
GHSA-rj97-2r59-3w68: Argument injection in Ivanti Connect Secure before version 222024-11-13
CVE-2024-38655 — Argument Injection in Ivanti | cvebase