CVE-2024-21893

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
hackeroneCNA
8.2 HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
ivanticonnect_secure
9.0
ivanticonnect_secure
9.0:r1
ivanticonnect_secure
9.0:r2
ivanticonnect_secure
9.0:r2.1
ivanticonnect_secure
9.0:r3
ivanticonnect_secure
9.0:r3.1
ivanticonnect_secure
9.0:r3.2
ivanticonnect_secure
9.0:r3.3
ivanticonnect_secure
9.0:r3.5
ivanticonnect_secure
9.0:r4
ivanticonnect_secure
9.0:r4.1
ivanticonnect_secure
9.0:r5.0
ivanticonnect_secure
9.0:r6.0
ivanticonnect_secure
9.1:r1
ivanticonnect_secure
9.1:r10
ivanticonnect_secure
9.1:r11
ivanticonnect_secure
9.1:r11.3
ivanticonnect_secure
9.1:r11.4
ivanticonnect_secure
9.1:r11.5
ivanticonnect_secure
9.1:r12
ivanticonnect_secure
9.1:r12.1
ivanticonnect_secure
9.1:r13
ivanticonnect_secure
9.1:r13.1
ivanticonnect_secure
9.1:r14
ivanticonnect_secure
9.1:r15
ivanticonnect_secure
9.1:r15.2
ivanticonnect_secure
9.1:r16
ivanticonnect_secure
9.1:r16.1
ivanticonnect_secure
9.1:r17
ivanticonnect_secure
9.1:r17.1
ivanticonnect_secure
9.1:r18
ivanticonnect_secure
9.1:r18.1
ivanticonnect_secure
9.1:r18.2
ivanticonnect_secure
9.1:r2
ivanticonnect_secure
9.1:r3
ivanticonnect_secure
9.1:r4
ivanticonnect_secure
9.1:r4.1
ivanticonnect_secure
9.1:r4.2
ivanticonnect_secure
9.1:r4.3
ivanticonnect_secure
9.1:r5
ivanticonnect_secure
9.1:r6
ivanticonnect_secure
9.1:r7
ivanticonnect_secure
9.1:r8
ivanticonnect_secure
9.1:r8.1
ivanticonnect_secure
9.1:r8.2
ivanticonnect_secure
9.1:r9
ivanticonnect_secure
9.1:r9.1
ivanticonnect_secure
21.9:r1
ivanticonnect_secure
21.12:r1
ivanticonnect_secure
22.1:r1
ivanticonnect_secure
22.1:r6
ivanticonnect_secure
22.2
ivanticonnect_secure
22.2:r1
ivanticonnect_secure
22.3:r1
ivanticonnect_secure
22.4:r1
ivanticonnect_secure
22.4:r2.1
ivanticonnect_secure
22.6
ivanticonnect_secure
22.6:r1
ivanticonnect_secure
22.6:r2
ivanticonnect_secure
22.6:r2.1
ivantipolicy_secure
9.0
ivantipolicy_secure
9.0:r1
ivantipolicy_secure
9.0:r2
ivantipolicy_secure
9.0:r2.1
ivantipolicy_secure
9.0:r3
ivantipolicy_secure
9.0:r3.1
ivantipolicy_secure
9.0:r4
ivantipolicy_secure
9.1
ivantipolicy_secure
9.1:r1
ivantipolicy_secure
9.1:r10
ivantipolicy_secure
9.1:r11
ivantipolicy_secure
9.1:r12
ivantipolicy_secure
9.1:r13
ivantipolicy_secure
9.1:r13.1
ivantipolicy_secure
9.1:r14
ivantipolicy_secure
9.1:r15
ivantipolicy_secure
9.1:r16
ivantipolicy_secure
9.1:r17
ivantipolicy_secure
9.1:r18
ivantipolicy_secure
9.1:r18.1
ivantipolicy_secure
9.1:r18.2
ivantipolicy_secure
9.1:r2
ivantipolicy_secure
9.1:r3
ivantipolicy_secure
9.1:r3.1
ivantipolicy_secure
9.1:r4
ivantipolicy_secure
9.1:r4.1
ivantipolicy_secure
9.1:r4.2
ivantipolicy_secure
9.1:r4.3
ivantipolicy_secure
9.1:r5
ivantipolicy_secure
9.1:r6
ivantipolicy_secure
9.1:r7
ivantipolicy_secure
9.1:r8
ivantipolicy_secure
9.1:r8.1
ivantipolicy_secure
9.1:r8.2
ivantipolicy_secure
9.1:r9
ivantipolicy_secure
22.1:r1
ivantipolicy_secure
22.1:r6
ivantipolicy_secure
22.2:r1
ivantipolicy_secure
22.2:r3
ivantipolicy_secure
22.3:r1
ivantipolicy_secure
22.3:r3
ivantipolicy_secure
22.4:r1
ivantipolicy_secure
22.4:r2
ivantipolicy_secure
22.4:r2.1
ivantipolicy_secure
22.5:r1
ivantipolicy_secure
22.6:r1
ivantineurons_for_zero-trust_access
-
ivantineurons_for_zero-trust_access
22.2:r1
ivantineurons_for_zero-trust_access
22.2:r4
ivantineurons_for_zero-trust_access
22.2:r5
ivantineurons_for_zero-trust_access
22.3:r1
ivantineurons_for_zero-trust_access
22.3:r4
ivantineurons_for_zero-trust_access
22.4:r1
ivantineurons_for_zero-trust_access
22.4:r3
ivantineurons_for_zero-trust_access
22.5:r1
ivantineurons_for_zero-trust_access
22.5:r1.2
ivantineurons_for_zero-trust_access
22.6:r1
ivantineurons_for_zero-trust_access
22.6:r1.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US