CVE-2024-21888

A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
hackeroneCNA
8.8 HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
ivanticonnect_secure
10.0 <
𝑥
< 10.0
ivanticonnect_secure
23.0 <
𝑥
< 23.0
ivantipolicy_secure
23.0 <
𝑥
< 23.0
ivantipolicy_secure
10.0 <
𝑥
< 10.0
ivanticonnect_secure
9.0
ivanticonnect_secure
9.0:r1
ivanticonnect_secure
9.0:r2
ivanticonnect_secure
9.0:r2.1
ivanticonnect_secure
9.0:r3
ivanticonnect_secure
9.0:r3.1
ivanticonnect_secure
9.0:r3.2
ivanticonnect_secure
9.0:r3.3
ivanticonnect_secure
9.0:r3.5
ivanticonnect_secure
9.0:r4
ivanticonnect_secure
9.0:r4.1
ivanticonnect_secure
9.0:r5.0
ivanticonnect_secure
9.0:r6.0
ivanticonnect_secure
9.1:r1
ivanticonnect_secure
9.1:r10
ivanticonnect_secure
9.1:r11
ivanticonnect_secure
9.1:r11.3
ivanticonnect_secure
9.1:r11.4
ivanticonnect_secure
9.1:r11.5
ivanticonnect_secure
9.1:r12
ivanticonnect_secure
9.1:r12.1
ivanticonnect_secure
9.1:r13
ivanticonnect_secure
9.1:r13.1
ivanticonnect_secure
9.1:r14
ivanticonnect_secure
9.1:r15
ivanticonnect_secure
9.1:r15.2
ivanticonnect_secure
9.1:r16
ivanticonnect_secure
9.1:r16.1
ivanticonnect_secure
9.1:r17
ivanticonnect_secure
9.1:r17.1
ivanticonnect_secure
9.1:r18
ivanticonnect_secure
9.1:r18.1
ivanticonnect_secure
9.1:r18.2
ivanticonnect_secure
9.1:r2
ivanticonnect_secure
9.1:r3
ivanticonnect_secure
9.1:r4
ivanticonnect_secure
9.1:r4.1
ivanticonnect_secure
9.1:r4.2
ivanticonnect_secure
9.1:r4.3
ivanticonnect_secure
9.1:r5
ivanticonnect_secure
9.1:r6
ivanticonnect_secure
9.1:r7
ivanticonnect_secure
9.1:r8
ivanticonnect_secure
9.1:r8.1
ivanticonnect_secure
9.1:r8.2
ivanticonnect_secure
9.1:r9
ivanticonnect_secure
9.1:r9.1
ivanticonnect_secure
21.9:r1
ivanticonnect_secure
21.12:r1
ivanticonnect_secure
22.1:r1
ivanticonnect_secure
22.1:r6
ivanticonnect_secure
22.2
ivanticonnect_secure
22.2:r1
ivanticonnect_secure
22.3:r1
ivanticonnect_secure
22.4:r1
ivanticonnect_secure
22.4:r2.1
ivanticonnect_secure
22.6
ivanticonnect_secure
22.6:r1
ivanticonnect_secure
22.6:r2
ivanticonnect_secure
22.6:r2.1
ivantipolicy_secure
9.0
ivantipolicy_secure
9.0:r1
ivantipolicy_secure
9.0:r2
ivantipolicy_secure
9.0:r2.1
ivantipolicy_secure
9.0:r3
ivantipolicy_secure
9.0:r3.1
ivantipolicy_secure
9.0:r4
ivantipolicy_secure
9.1
ivantipolicy_secure
9.1:r1
ivantipolicy_secure
9.1:r10
ivantipolicy_secure
9.1:r11
ivantipolicy_secure
9.1:r12
ivantipolicy_secure
9.1:r13
ivantipolicy_secure
9.1:r13.1
ivantipolicy_secure
9.1:r14
ivantipolicy_secure
9.1:r15
ivantipolicy_secure
9.1:r16
ivantipolicy_secure
9.1:r17
ivantipolicy_secure
9.1:r18
ivantipolicy_secure
9.1:r18.1
ivantipolicy_secure
9.1:r18.2
ivantipolicy_secure
9.1:r2
ivantipolicy_secure
9.1:r3
ivantipolicy_secure
9.1:r3.1
ivantipolicy_secure
9.1:r4
ivantipolicy_secure
9.1:r4.1
ivantipolicy_secure
9.1:r4.2
ivantipolicy_secure
9.1:r4.3
ivantipolicy_secure
9.1:r5
ivantipolicy_secure
9.1:r6
ivantipolicy_secure
9.1:r7
ivantipolicy_secure
9.1:r8
ivantipolicy_secure
9.1:r8.1
ivantipolicy_secure
9.1:r8.2
ivantipolicy_secure
9.1:r9
ivantipolicy_secure
22.1:r1
ivantipolicy_secure
22.1:r6
ivantipolicy_secure
22.2:r1
ivantipolicy_secure
22.2:r3
ivantipolicy_secure
22.3:r1
ivantipolicy_secure
22.3:r3
ivantipolicy_secure
22.4:r1
ivantipolicy_secure
22.4:r2
ivantipolicy_secure
22.4:r2.1
ivantipolicy_secure
22.5:r1
ivantipolicy_secure
22.6:r1
𝑥
= Vulnerable software versions
References
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US