CVE-2024-22024

Summary

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Affected Software

VendorProductVersion RangeStatus
IvantiICS9.1R14.5 < 9.1R14.5affected
IvantiICS9.1R17.3 < 9.1R17.3affected
IvantiICS9.1R18.4 < 9.1R18.4affected
IvantiICS22.1R6.1 < 22.1R6.1affected
IvantiICS9.1R14.4 < 9.1R14.4unaffected
IvantiICS9.1R15.2 < 9.1R15.2unaffected
IvantiICS9.1R16.2 < 9.1R16.2unaffected
IvantiICS9.1R17.2 < 9.1R17.2unaffected
IvantiICS9.1R18.3 < 9.1R18.3unaffected
IvantiICS22.1R6.1 < 22.1R6.1unaffected
IvantiICS22.2R4.1 < 22.2R4.1affected
IvantiICS22.3R1.1 < 22.3R1.1affected
IvantiICS22.4R1.1 < 22.4R1.1affected
IvantiICS22.5R1.2 < 22.5R1.2affected
IvantiICS22.6R1.1 < 22.6R1.1affected
IvantiICS22.4R2.3 < 22.4R2.3affected
IvantiICS22.5R2.3 < 22.5R2.3affected
IvantiICS22.6R2.2 < 22.6R2.2affected
IvantiICS22.2R4.1 < 22.2R4.1unaffected
IvantiICS22.3R1 < 22.3R1unaffected
IvantiICS22.4R1.1 < 22.4R1.1unaffected
IvantiICS22.5R1.1 < 22.5R1.1unaffected
IvantiICS22.6R1.1 < 22.6R1.1unaffected
IvantiICS22.4R2.2 < 22.4R2.2unaffected
IvantiICS22.5R2.2 < 22.5R2.2unaffected
IvantiICS22.6R2.2 < 22.6R2.2unaffected
IvantICS9.1R15.3 < 9.1R15.3affected
IvantiIPS9.1R18.4 < 9.1R18.4affected
IvantiIPS9.1R17.3 < 9.1R17.3affected
IvantiIPS22.5R1.2 < 22.5R1.2affected
IvantiIPS9.1R18.2 < 9.1R18.2unaffected
IvantiIPS9.1R17.2 < 9.1R17.2unaffected
IvantiIPS22.5R1.1 < 22.5R1.1unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References