CVE-2024-11005 | THREATINT

Description

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

PUBLISHED Reserved 2024-11-07 | Published 2024-11-12 | Updated 2024-11-22 | Assigner ivanti

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

affected

22.7R2.1 (custom)

unaffected

Default status

affected

22.7R1.1 (custom)

unaffected

References

forums.ivanti.com/...Secure-Access-Client-ISAC-Multiple-CVEs

cve.org (CVE-2024-11005)

nvd.nist.gov (CVE-2024-11005)

Download JSON