cbcvebase.

Ivanti Connect Secure vulnerabilities

130 known vulnerabilities affecting ivanti/connect_secure.

Total CVEs
130
CISA KEV
14
actively exploited
Public exploits
14
Exploited in wild
19
Severity breakdown
CRITICAL15HIGH67MEDIUM46LOW2

Vulnerabilities

Page 4 of 7
CVE-2024-22052P3HIGHCVSS 7.5v9.1v22.1+18 more2024-04-04
CVE-2024-22052 [HIGH] CWE-476 CVE-2024-22052: A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack
nvd
CVE-2020-15352P3HIGHCVSS 7.2v9.12020-10-27
CVE-2020-15352 [HIGH] CWE-611 CVE-2020-15352: An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Poli An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
nvd
CVE-2024-37377P3HIGHCVSS 7.5fixed in 22.7v22.7+1 more2024-12-12
CVE-2024-37377 [HIGH] CWE-787 CVE-2024-37377: A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remo A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2018-20810P3CRITICALCVSS 9.8v8.32019-06-28
CVE-2018-20810 [CRITICAL] CWE-326 CVE-2018-20810: Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices.
nvd
CVE-2024-47907P3HIGHCVSS 7.5fixed in 22.7v22.72024-11-12
CVE-2024-47907 [HIGH] CWE-121 CVE-2024-47907: A stack-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a rem A stack-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2021-22938P3HIGHCVSS 7.2v9.12021-08-16
CVE-2021-22938 [HIGH] CWE-77 CVE-2021-22938: A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console.
nvd
CVE-2017-11455P3HIGHCVSS 8.8v8.12017-08-29
CVE-2017-11455 [HIGH] CWE-352 CVE-2017-11455: diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8.1R10 and Pulse Policy Secure 5 diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8.1R10 and Pulse Policy Secure 5.3R1 through 5.3R5, 5.2R1 through 5.2R8, and 5.1R1 through 5.1R10 allow remote attackers to hijack the authentication of administrators for requests to start tcpdump, related to the lack of anti-CSRF tokens.
nvd
CVE-2024-37400P3HIGHCVSS 7.5fixed in 22.7v22.7+1 more2024-11-13
CVE-2024-37400 [HIGH] CWE-125 CVE-2024-37400: An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticat An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to trigger an infinite loop, causing a denial of service.
nvd
CVE-2021-44720P3HIGHCVSS 7.2v9.12022-08-12
CVE-2021-44720 [HIGH] CWE-798 CVE-2021-44720: In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is store In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role.
nvd
CVE-2022-35254P3HIGHCVSS 7.5fixed in 9.1v9.1+4 more2022-12-05
CVE-2022-35254 [HIGH] CWE-416 CVE-2022-35254: An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.
nvd
CVE-2022-35258P3HIGHCVSS 7.5fixed in 9.1v9.1+4 more2022-12-05
CVE-2022-35258 [HIGH] CWE-128 CVE-2022-35258: An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.
nvd
CVE-2024-38649P3HIGHCVSS 7.5fixed in 9.1≥ 21.9, < 22.7+3 more2024-11-13
CVE-2024-38649 [HIGH] CWE-125 CVE-2024-38649: An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9 An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2020-8219P3HIGHCVSS 7.2v9.12020-07-30
CVE-2020-8219 [HIGH] CWE-280 CVE-2020-8219: An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator.
nvd
CVE-2021-22935P3HIGHCVSS 7.2v9.12021-08-16
CVE-2021-22935 [HIGH] CWE-77 CVE-2021-22935: A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter.
nvd
CVE-2021-22965P3HIGHCVSS 7.5v9.12021-11-19
CVE-2021-22965 [HIGH] CWE-400 CVE-2021-22965: A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an unauthenticated administrator A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an unauthenticated administrator to causes a denial of service when a malformed request is sent to the device.
nvd
CVE-2023-39340P3HIGHCVSS 7.5v22.1v22.2+6 more2023-12-16
CVE-2023-39340 [HIGH] CVE-2023-39340: A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker can s A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker can send a specific request which may lead to Denial of Service (DoS) of the appliance.
nvd
CVE-2023-41720P3HIGHCVSS 7.8v22.1v22.2+5 more2023-12-14
CVE-2023-41720 [HIGH] CVE-2023-41720: A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure (ICS) appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to gain elevated execution privileges on the affected system.
nvd
CVE-2024-37401P3HIGHCVSS 7.5fixed in 22.7v22.7+1 more2024-12-12
CVE-2024-37401 [HIGH] CWE-125 CVE-2024-37401: An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unau An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-8495P3HIGHCVSS 7.5fixed in 22.7v22.72024-11-12
CVE-2024-8495 [HIGH] CWE-476 CVE-2024-8495: A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-47906P3HIGHCVSS 7.8fixed in 9.1fixed in 22.7+2 more2024-11-12
CVE-2024-47906 [HIGH] CWE-267 CVE-2024-47906: Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1R Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.
nvd
Ivanti Connect Secure vulnerabilities | cvebase