CVE-2024-21894

Summary

A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code

Affected Software

VendorProductVersion RangeStatus
IvantiConnect Secure22.1R6.2 < 22.1R6.2affected
IvantiConnect Secure22.2R4.2 < 22.2R4.2affected
IvantiConnect Secure22.3R1.2 < 22.3R1.2affected
IvantiConnect Secure22.4R1.2 < 22.4R1.2affected
IvantiConnect Secure22.4R2.4 < 22.4R2.4affected
IvantiConnect Secure22.5R1.3 < 22.5R1.3affected
IvantiConnect Secure22.5R2.4 < 22.5R2.4affected
IvantiConnect Secure22.6R2.3 < 22.6R2.3affected
IvantiConnect Secure9.1R14.6 < 9.1R14.6affected
IvantiConnect Secure9.1R15.4 < 9.1R15.4affected
IvantiConnect Secure9.1R16.4 < 9.1R16.4affected
IvantiConnect Secure9.1R17.4 < 9.1R17.4affected
IvantiConnect Secure9.1R18.5 < 9.1R18.5affected
IvantiPolicy Secure22.4R1.2 < 22.4R1.2affected
IvantiPolicy Secure22.6R1.2 < 22.6R1.2affected
IvantiPolicy Secure9.1R16.4 < 9.1R16.4affected
IvantiPolicy Secure9.1R17.4 < 9.1R17.4affected
IvantiPolicy Secure9.1R18.5 < 9.1R18.5affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References