CVE-2024-22023

Summary

An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

Affected Software

VendorProductVersion RangeStatus
IvantiConnect Secure22.1R6.2 < 22.1R6.2affected
IvantiConnect Secure22.2R4.2 < 22.2R4.2affected
IvantiConnect Secure22.3R1.2 < 22.3R1.2affected
IvantiConnect Secure22.4R1.2 < 22.4R1.2affected
IvantiConnect Secure22.4R2.4 < 22.4R2.4affected
IvantiConnect Secure22.5R1.3 < 22.5R1.3affected
IvantiConnect Secure22.5R2.4 < 22.5R2.4affected
IvantiConnect Secure22.6R2.3 < 22.6R2.3affected
IvantiConnect Secure9.1R14.6 < 9.1R14.6affected
IvantiConnect Secure9.1R15.4 < 9.1R15.4affected
IvantiConnect Secure9.1R16.4 < 9.1R16.4affected
IvantiConnect Secure9.1R17.4 < 9.1R17.4affected
IvantiConnect Secure9.1R18.5 < 9.1R18.5affected
IvantiPolicy Secure22.4R1.2 < 22.4R1.2affected
IvantiPolicy Secure22.5R1.3 < 22.5R1.3affected
IvantiPolicy Secure22.6R1.2 < 22.6R1.2affected
IvantiPolicy Secure9.1R16.4 < 9.1R16.4affected
IvantiPolicy Secure9.1R17.4 < 9.1R17.4affected
IvantiPolicy Secure9.1R18.5 < 9.1R18.5affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References