CVE-2024-21893

Summary

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Severity
High
Severity Score

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-ID

CWE-918

Vulnerability ID
CVE-2024-21893
Severity
High
Severity Score
8.2
Summary
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
References
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
Mitigation and Patches
Exploits
https://github.com/h4x0r-dz/CVE-2024-21893.py https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887 https://nvd.nist.gov/vuln/detail/CVE-2024-21893 https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://github.com/h4x0r-dz/CVE-2024-21893.py https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887 https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.rb
Metasploit Payload
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE ID
CWE-918

See SecOps Solution
in action

Schedule Demo
Agentless security for your infrastructure and applications - to build faster, more securely and in a fraction of the operational cost of other solutions
hello@secopsolution.com
+569-231-213
Compare
Qualys Cloud AgentTenable NessusRapid7 InsightVM
Resources
CVECase StudieseBooksPolicy TemplatesBlogPricing
Company
About UsContactCareer
Try It
Patch AstraEPSS CalculatorContactFree ScanSchedule DemoLog In
© 2024  SecOps Solution, Inc.| Privacy Policy | Terms and Conditions .
Social Media :