CVE-2024-38657External Control of File Name or Path in Ivanti Connect Secure

CWE-73External Control of File Name or Path3 documents3 sources
Severity
4.9MEDIUMNVD
EPSS
0.6%
top 30.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ivanti Connect SecureIvanti Policy Secure
Timeline
PublishedFeb 21

Description

External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages4 packages

CVEListV5ivanti/policy_secure22.7R1.322.7R1.3
NVDivanti/policy_secure< 22.7+1
CVEListV5ivanti/connect_secure22.7R2.422.7R2.4
NVDivanti/connect_secure< 22.7+1

🔴Vulnerability Details

2
GHSA
GHSA-gj4j-xh74-gvw8: External control of a file name in Ivanti Connect Secure before version 222025-02-21
CVEList
CVE-2024-38657: External control of a file name in Ivanti Connect Secure before version 222025-02-21
CVE-2024-38657 — External Control of File Name or Path | cvebase