CVE-2024-11007

Опубликовано: 12 нояб. 2024

Источник: nvd

CVSS3: 9.1

CVSS3: 7.2

EPSS Средний

Описание

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Ссылки

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*

Версия до 22.7 (исключая)

cpe:2.3:a:ivanti:connect_secure:22.7:-:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.7:r1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.7:r1.1:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.7:r1.2:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.7:r1.3:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.7:r1.4:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.7:r1.5:*:*:*:*:*:*

cpe:2.3:a:ivanti:connect_secure:22.7:r2:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:a:ivanti:policy_secure:*:*:*:*:*:*:*:*

Версия до 22.7 (исключая)

cpe:2.3:a:ivanti:policy_secure:22.7:-:*:*:*:*:*:*

cpe:2.3:a:ivanti:policy_secure:22.7:r1:*:*:*:*:*:*

EPSS

Процентиль: 95%

0.17022

Средний

9.1 Critical

CVSS3

7.2 High

CVSS3

Дефекты

CWE-78

Связанные уязвимости

GHSA-268c-v4f5-27qw

CVSS3: 9.1

github

12 месяцев назад

Command injection in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

EPSS

Процентиль: 95%

0.17022

Средний

9.1 Critical

CVSS3

7.2 High

CVSS3

Дефекты

CWE-78