CVE-2023-46805

Warnung

Exploit

EPSS 94.38%
Veröffentlicht 12.01.2024 17:15:09
Zuletzt bearbeitet 27.01.2025 21:53:11
Quelle support@hackerone.com
Teams Watchlist Login
Unerledigt Login

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Betroffene Produkte Warnungen 2 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ivanti ≫ Connect Secure Version9.0

Ivanti ≫ Connect Secure Version9.1 Updater1

Ivanti ≫ Connect Secure Version9.1 Updater10

Ivanti ≫ Connect Secure Version9.1 Updater11

Ivanti ≫ Connect Secure Version9.1 Updater11.3

Ivanti ≫ Connect Secure Version9.1 Updater11.4

Ivanti ≫ Connect Secure Version9.1 Updater11.5

Ivanti ≫ Connect Secure Version9.1 Updater12

Ivanti ≫ Connect Secure Version9.1 Updater12.1

Ivanti ≫ Connect Secure Version9.1 Updater13

Ivanti ≫ Connect Secure Version9.1 Updater13.1

Ivanti ≫ Connect Secure Version9.1 Updater14

Ivanti ≫ Connect Secure Version9.1 Updater15

Ivanti ≫ Connect Secure Version9.1 Updater15.2

Ivanti ≫ Connect Secure Version9.1 Updater16

Ivanti ≫ Connect Secure Version9.1 Updater16.1

Ivanti ≫ Connect Secure Version9.1 Updater17

Ivanti ≫ Connect Secure Version9.1 Updater17.1

Ivanti ≫ Connect Secure Version9.1 Updater18

Ivanti ≫ Connect Secure Version9.1 Updater2

Ivanti ≫ Connect Secure Version9.1 Updater3

Ivanti ≫ Connect Secure Version9.1 Updater4

Ivanti ≫ Connect Secure Version9.1 Updater4.1

Ivanti ≫ Connect Secure Version9.1 Updater4.2

Ivanti ≫ Connect Secure Version9.1 Updater4.3

Ivanti ≫ Connect Secure Version9.1 Updater5

Ivanti ≫ Connect Secure Version9.1 Updater6

Ivanti ≫ Connect Secure Version9.1 Updater7

Ivanti ≫ Connect Secure Version9.1 Updater8

Ivanti ≫ Connect Secure Version9.1 Updater8.1

Ivanti ≫ Connect Secure Version9.1 Updater8.2

Ivanti ≫ Connect Secure Version9.1 Updater9

Ivanti ≫ Connect Secure Version9.1 Updater9.1

Ivanti ≫ Connect Secure Version22.1 Updater1

Ivanti ≫ Connect Secure Version22.1 Updater6

Ivanti ≫ Connect Secure Version22.2 Update-

Ivanti ≫ Connect Secure Version22.2 Updater1

Ivanti ≫ Connect Secure Version22.3 Updater1

Ivanti ≫ Connect Secure Version22.4 Updater1

Ivanti ≫ Connect Secure Version22.4 Updater2.1

Ivanti ≫ Connect Secure Version22.5 Updater2.1

Ivanti ≫ Connect Secure Version22.6 Update-

Ivanti ≫ Connect Secure Version22.6 Updater1

Ivanti ≫ Connect Secure Version22.6 Updater2

Ivanti ≫ Policy Secure Version9.0

Ivanti ≫ Policy Secure Version9.1 Updater1

Ivanti ≫ Policy Secure Version9.1 Updater10

Ivanti ≫ Policy Secure Version9.1 Updater11

Ivanti ≫ Policy Secure Version9.1 Updater12

Ivanti ≫ Policy Secure Version9.1 Updater13

Ivanti ≫ Policy Secure Version9.1 Updater13.1

Ivanti ≫ Policy Secure Version9.1 Updater14

Ivanti ≫ Policy Secure Version9.1 Updater15

Ivanti ≫ Policy Secure Version9.1 Updater16

Ivanti ≫ Policy Secure Version9.1 Updater17

Ivanti ≫ Policy Secure Version9.1 Updater18

Ivanti ≫ Policy Secure Version9.1 Updater2

Ivanti ≫ Policy Secure Version9.1 Updater3

Ivanti ≫ Policy Secure Version9.1 Updater3.1

Ivanti ≫ Policy Secure Version9.1 Updater4

Ivanti ≫ Policy Secure Version9.1 Updater4.1

Ivanti ≫ Policy Secure Version9.1 Updater4.2

Ivanti ≫ Policy Secure Version9.1 Updater5

Ivanti ≫ Policy Secure Version9.1 Updater6

Ivanti ≫ Policy Secure Version9.1 Updater7

Ivanti ≫ Policy Secure Version9.1 Updater8

Ivanti ≫ Policy Secure Version9.1 Updater8.1

Ivanti ≫ Policy Secure Version9.1 Updater8.2

Ivanti ≫ Policy Secure Version9.1 Updater9

Ivanti ≫ Policy Secure Version22.1 Updater1

Ivanti ≫ Policy Secure Version22.1 Updater6

Ivanti ≫ Policy Secure Version22.2 Updater1

Ivanti ≫ Policy Secure Version22.2 Updater3

Ivanti ≫ Policy Secure Version22.3 Updater1

Ivanti ≫ Policy Secure Version22.3 Updater3

Ivanti ≫ Policy Secure Version22.4 Updater1

Ivanti ≫ Policy Secure Version22.4 Updater2

Ivanti ≫ Policy Secure Version22.4 Updater2.1

Ivanti ≫ Policy Secure Version22.5 Updater1

Ivanti ≫ Policy Secure Version22.5 Updater2.1

Ivanti ≫ Policy Secure Version22.6 Updater1

10.01.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability

Schwachstelle

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

11.01.2024: CERT.at Warnung

https://www.cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-connect-secure-und-ivanti-policy-secure-aktiv-ausgenutzt

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.38%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
support@hackerone.com	8.2	3.9	4.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-46805

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-46805

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-46805

EUVD