5.3

CVE-2024-22023

An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

Data is provided by the National Vulnerability Database (NVD)
IvantiConnect Secure Version9.1 Updater1
IvantiConnect Secure Version9.1 Updater10
IvantiConnect Secure Version9.1 Updater11
IvantiConnect Secure Version9.1 Updater11.5
IvantiConnect Secure Version9.1 Updater12
IvantiConnect Secure Version9.1 Updater13
IvantiConnect Secure Version9.1 Updater14 SwEditionlts
IvantiConnect Secure Version9.1 Updater15
IvantiConnect Secure Version9.1 Updater16
IvantiConnect Secure Version9.1 Updater17
IvantiConnect Secure Version9.1 Updater18
IvantiConnect Secure Version9.1 Updater2
IvantiConnect Secure Version9.1 Updater3
IvantiConnect Secure Version9.1 Updater4
IvantiConnect Secure Version9.1 Updater4.1
IvantiConnect Secure Version9.1 Updater4.2
IvantiConnect Secure Version9.1 Updater4.3
IvantiConnect Secure Version9.1 Updater5
IvantiConnect Secure Version9.1 Updater6
IvantiConnect Secure Version9.1 Updater7
IvantiConnect Secure Version9.1 Updater8
IvantiConnect Secure Version9.1 Updater9
IvantiConnect Secure Version22.1
IvantiConnect Secure Version22.2
IvantiConnect Secure Version22.3
IvantiConnect Secure Version22.4
IvantiConnect Secure Version22.5
IvantiConnect Secure Version22.6
IvantiPolicy Secure Version9.0 Update-
IvantiPolicy Secure Version9.0 Updater1
IvantiPolicy Secure Version9.0 Updater2
IvantiPolicy Secure Version9.0 Updater2.1
IvantiPolicy Secure Version9.0 Updater3
IvantiPolicy Secure Version9.0 Updater3.1
IvantiPolicy Secure Version9.0 Updater4
IvantiPolicy Secure Version9.1 Update-
IvantiPolicy Secure Version9.1 Updater1
IvantiPolicy Secure Version9.1 Updater10
IvantiPolicy Secure Version9.1 Updater11
IvantiPolicy Secure Version9.1 Updater12
IvantiPolicy Secure Version9.1 Updater13
IvantiPolicy Secure Version9.1 Updater14
IvantiPolicy Secure Version9.1 Updater15
IvantiPolicy Secure Version9.1 Updater16
IvantiPolicy Secure Version9.1 Updater17
IvantiPolicy Secure Version9.1 Updater18
IvantiPolicy Secure Version9.1 Updater2
IvantiPolicy Secure Version9.1 Updater3
IvantiPolicy Secure Version9.1 Updater4
IvantiPolicy Secure Version9.1 Updater5
IvantiPolicy Secure Version9.1 Updater6
IvantiPolicy Secure Version9.1 Updater7
IvantiPolicy Secure Version9.1 Updater8
IvantiPolicy Secure Version9.1 Updater9
IvantiPolicy Secure Version22.1
IvantiPolicy Secure Version22.2
IvantiPolicy Secure Version22.3
IvantiPolicy Secure Version22.4
IvantiPolicy Secure Version22.5
IvantiPolicy Secure Version22.6
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.72% 0.717
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
support@hackerone.com 5.3 3.9 1.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

CWE-703 Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.