CVE-2024-7569
published 2024-08-13CVE-2024-7569: An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.64%
73.4th percentile
An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | itsm | — | — |
| ivanti | neurons_for_itsm | — | — |
| ivanti | neurons_for_itsm | — | — |
| ivanti | neurons_for_itsm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exposes the OIDC client secret via debug information to unauthenticated attackers — monitor for unauthenticated requests to debug/diagnostic endpoints on Ivanti ITSM on-prem and Neurons for ITSM ↗
- →Audit OIDC client secret exposure — if the secret has been leaked, treat it as compromised and rotate immediately; monitor for unauthorized OAuth/OIDC token issuance using the affected client secret ↗
- ·Affected versions are Ivanti ITSM on-prem and Neurons for ITSM 2023.4 and earlier — scope detection and patching efforts to these versions ↗
- ·The vulnerability is classified CWE-215 (Insertion of Sensitive Information Into Debugging Code) and CWE-922 (Insecure Storage of Sensitive Information) with a CVSS score of 9.6 CRITICAL — ensure debug endpoints are not exposed to unauthenticated users and debug logging is disabled in production ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2024-7569
vendor_ivanti·2024-08-13·CVSS 9.6
CVE-2024-7569 [CRITICAL] CWE-215 Ivanti Security Advisory: CVE-2024-7569
Ivanti Security Advisory: CVE-2024-7569
An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.
CVE IDs: CVE-2024-7569
CVSS Base Score: 9.6
Severity: CRITICAL
CWEs: CWE-215, CWE-922
GHSA
GHSA-rj6p-94v3-4ccp: An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023
ghsa_unreviewed·2024-08-13
CVE-2024-7569 [CRITICAL] CWE-215 GHSA-rj6p-94v3-4ccp: An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023
An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.
No detection rules found.
No public exploits indexed.
2024-08-13
Published