forums.ivanti.com
Open in
urlscan Pro
2606:4700::6811:896b
Public Scan
URL:
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure...
Submission: On February 01 via api from TR — Scanned from DE
Submission: On February 01 via api from TR — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Loading ×Sorry to interrupt CSS Error Refresh Skip to Main Content Community * Home * All Products * Forum Groups * Contact Support * Getting Started * Advantage Learning * Ivanti Innovators * Ivanti User Groups * Ivanti Ideas * Product End of Life * Community & Portal Resources * Ivanti Developer Hub * More Expand search SearchLoading Close search Log inAccount Management Ask a Question Log in for access to this feature CVE-2024-21888 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure Primary Product Created Date 22.01.2024 22:07:08 Last Modified Date 31.01.2024 09:59:02 DESCRIPTION: As part of our ongoing investigation into the vulnerabilities reported on 10 January in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, we have discovered new vulnerabilities. These vulnerabilities impact all supported versions – Version 9.x and 22.x (refer to Granular Software Release EOL Timelines and Support Matrix for supported versions). Refer to KB43892 – What releases will Pulse Secure apply fixes to resolve security vulnerabilities for our End of Engineering (EOE) and End of Life (EOL) policies. We have no evidence of any customers being impacted by CVE-2024-21888 at this time. We are only aware of a small number of customers who have been impacted by CVE-2024-21893 at this time. The table below provides details on the vulnerabilities: CVEDescriptionCVSSVectorCVE-2024-21888A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.8.8AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCVE-2024-21893A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.8.2AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Upon learning of these vulnerabilities, we immediately mobilized resources and the patch is available now via the standard download portal for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. The remaining supported versions will be patched in a staggered schedule, and a new mitigation is available for download. If customers have applied the patch they do not need to apply the mitigation. It is critical that you immediately take action to ensure you are fully protected. Customers can read this KB article for detailed instructions on how to apply the mitigation and apply the patch as each version becomes available. Please ensure you are following this article to receive updates. If you have questions or require further support, please log a case and/or request a call in the Success Portal. Ivanti would like to thank Pear1y for their assistance in identifying and reporting the issue in Ivanti Connect Secure and Ivanti Policy Secure. Article Number : 000090322 Article Promotion Level Normal * * Terms & Conditions * Privacy Policy * Copyright © 2019-2023 Ivanti. All rights reserved. Loading We use cookies to optimize the website performance, content, and the overall experience. Cookies Settings Continue without cookies Accept All Cookies PRIVACY PREFERENCE CENTER YOUR PRIVACY YOUR PRIVACY We use cookies on this site to improve your browser experience, analyze usage and traffic, tailor future content to your preferences, and make decisions about our website. Select "Allow All" to accept cookies and go directly to the site, or select a category of cookies from the menu to learn more about each type of cookie. More information * STRICTLY NECESSARY STRICTLY NECESSARY Always Active Strictly Necessary These cookies are required to enable core site functionality. Cookie Details * PERFORMANCE COOKIES PERFORMANCE COOKIES Performance Cookies These cookies allow us to analyze site performance and usage, so we can ensure you have the best experience. Cookie Details * PERSONALIZATION COOKIES PERSONALIZATION COOKIES Personalization Cookies These cookies can be set through our website by our advertising partners. They can be used by these companies to build a profile of your interests and show you relevant ads on other websites. Cookie Details * FUNCTIONAL COOKIES FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookie Details Back Button ADVERTISING COOKIES Filter Button Consent Leg.Interest Select All Vendors Select All Vendors Select All Hosts Select All Clear Filters Information storage and access Apply Save Settings Allow All