An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.
References
Configurations
Configuration 1 (hide)
|
History
03 Oct 2024, 22:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-703 |
08 Apr 2024, 22:51
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.0:r3.1:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r15:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:22.4:*:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r8:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r1:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r7:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r2:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.0:r4:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.0:r3:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r10:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r12:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r9:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r13:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r16:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r4:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r18:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r13:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r11:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r17:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r14:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:22.6:*:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.0:r2:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.0:r2.1:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r17:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r8:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r11:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:22.1:*:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:22.4:*:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:22.5:*:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:22.2:*:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:22.2:*:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:22.3:*:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r10:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.0:-:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:-:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r14:*:*:lts:*:*:* cpe:2.3:a:ivanti:connect_secure:22.3:*:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:22.6:*:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.0:r1:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r11.5:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:22.5:*:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r15:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r5:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r18:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r16:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:22.1:*:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r3:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r12:*:*:*:*:*:* cpe:2.3:a:ivanti:policy_secure:9.1:r6:*:*:*:*:*:* cpe:2.3:a:ivanti:connect_secure:9.1:r9:*:*:*:*:*:* |
|
First Time |
Ivanti
Ivanti connect Secure Ivanti policy Secure |
|
References | () https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - Vendor Advisory | |
CWE | CWE-476 |
05 Apr 2024, 12:40
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
04 Apr 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-04-04 20:15
Updated : 2024-10-03 22:35
NVD link : CVE-2024-22023
Mitre link : CVE-2024-22023
CVE.ORG link : CVE-2024-22023
JSON object : View
Products Affected
ivanti
- connect_secure
- policy_secure