A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
Weakness
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Connect_secure | Ivanti | 9.0 (including) | 9.0 (including) |
| Connect_secure | Ivanti | 9.0-r1 (including) | 9.0-r1 (including) |
| Connect_secure | Ivanti | 9.0-r2 (including) | 9.0-r2 (including) |
| Connect_secure | Ivanti | 9.0-r2.1 (including) | 9.0-r2.1 (including) |
| Connect_secure | Ivanti | 9.0-r3 (including) | 9.0-r3 (including) |
| Connect_secure | Ivanti | 9.0-r3.1 (including) | 9.0-r3.1 (including) |
| Connect_secure | Ivanti | 9.0-r3.2 (including) | 9.0-r3.2 (including) |
| Connect_secure | Ivanti | 9.0-r3.3 (including) | 9.0-r3.3 (including) |
| Connect_secure | Ivanti | 9.0-r3.5 (including) | 9.0-r3.5 (including) |
| Connect_secure | Ivanti | 9.0-r4 (including) | 9.0-r4 (including) |
| Connect_secure | Ivanti | 9.0-r4.1 (including) | 9.0-r4.1 (including) |
| Connect_secure | Ivanti | 9.0-r5.0 (including) | 9.0-r5.0 (including) |
| Connect_secure | Ivanti | 9.0-r6.0 (including) | 9.0-r6.0 (including) |
| Connect_secure | Ivanti | 9.1-r1 (including) | 9.1-r1 (including) |
| Connect_secure | Ivanti | 9.1-r10 (including) | 9.1-r10 (including) |
| Connect_secure | Ivanti | 9.1-r11 (including) | 9.1-r11 (including) |
| Connect_secure | Ivanti | 9.1-r11.3 (including) | 9.1-r11.3 (including) |
| Connect_secure | Ivanti | 9.1-r11.4 (including) | 9.1-r11.4 (including) |
| Connect_secure | Ivanti | 9.1-r11.5 (including) | 9.1-r11.5 (including) |
| Connect_secure | Ivanti | 9.1-r12 (including) | 9.1-r12 (including) |
| Connect_secure | Ivanti | 9.1-r12.1 (including) | 9.1-r12.1 (including) |
| Connect_secure | Ivanti | 9.1-r13 (including) | 9.1-r13 (including) |
| Connect_secure | Ivanti | 9.1-r13.1 (including) | 9.1-r13.1 (including) |
| Connect_secure | Ivanti | 9.1-r14 (including) | 9.1-r14 (including) |
| Connect_secure | Ivanti | 9.1-r15 (including) | 9.1-r15 (including) |
| Connect_secure | Ivanti | 9.1-r15.2 (including) | 9.1-r15.2 (including) |
| Connect_secure | Ivanti | 9.1-r16 (including) | 9.1-r16 (including) |
| Connect_secure | Ivanti | 9.1-r16.1 (including) | 9.1-r16.1 (including) |
| Connect_secure | Ivanti | 9.1-r17 (including) | 9.1-r17 (including) |
| Connect_secure | Ivanti | 9.1-r17.1 (including) | 9.1-r17.1 (including) |
| Connect_secure | Ivanti | 9.1-r18 (including) | 9.1-r18 (including) |
| Connect_secure | Ivanti | 9.1-r18.1 (including) | 9.1-r18.1 (including) |
| Connect_secure | Ivanti | 9.1-r18.2 (including) | 9.1-r18.2 (including) |
| Connect_secure | Ivanti | 9.1-r2 (including) | 9.1-r2 (including) |
| Connect_secure | Ivanti | 9.1-r3 (including) | 9.1-r3 (including) |
| Connect_secure | Ivanti | 9.1-r4 (including) | 9.1-r4 (including) |
| Connect_secure | Ivanti | 9.1-r4.1 (including) | 9.1-r4.1 (including) |
| Connect_secure | Ivanti | 9.1-r4.2 (including) | 9.1-r4.2 (including) |
| Connect_secure | Ivanti | 9.1-r4.3 (including) | 9.1-r4.3 (including) |
| Connect_secure | Ivanti | 9.1-r5 (including) | 9.1-r5 (including) |
| Connect_secure | Ivanti | 9.1-r6 (including) | 9.1-r6 (including) |
| Connect_secure | Ivanti | 9.1-r7 (including) | 9.1-r7 (including) |
| Connect_secure | Ivanti | 9.1-r8 (including) | 9.1-r8 (including) |
| Connect_secure | Ivanti | 9.1-r8.1 (including) | 9.1-r8.1 (including) |
| Connect_secure | Ivanti | 9.1-r8.2 (including) | 9.1-r8.2 (including) |
| Connect_secure | Ivanti | 9.1-r9 (including) | 9.1-r9 (including) |
| Connect_secure | Ivanti | 9.1-r9.1 (including) | 9.1-r9.1 (including) |
| Connect_secure | Ivanti | 21.9-r1 (including) | 21.9-r1 (including) |
| Connect_secure | Ivanti | 21.12-r1 (including) | 21.12-r1 (including) |
| Connect_secure | Ivanti | 22.1-r1 (including) | 22.1-r1 (including) |
| Connect_secure | Ivanti | 22.1-r6 (including) | 22.1-r6 (including) |
| Connect_secure | Ivanti | 22.2 (including) | 22.2 (including) |
| Connect_secure | Ivanti | 22.2-r1 (including) | 22.2-r1 (including) |
| Connect_secure | Ivanti | 22.3-r1 (including) | 22.3-r1 (including) |
| Connect_secure | Ivanti | 22.4-r1 (including) | 22.4-r1 (including) |
| Connect_secure | Ivanti | 22.4-r2.1 (including) | 22.4-r2.1 (including) |
| Connect_secure | Ivanti | 22.6 (including) | 22.6 (including) |
| Connect_secure | Ivanti | 22.6-r1 (including) | 22.6-r1 (including) |
| Connect_secure | Ivanti | 22.6-r2 (including) | 22.6-r2 (including) |
| Connect_secure | Ivanti | 22.6-r2.1 (including) | 22.6-r2.1 (including) |
| Policy_secure | Ivanti | 9.0 (including) | 9.0 (including) |
| Policy_secure | Ivanti | 9.0-r1 (including) | 9.0-r1 (including) |
| Policy_secure | Ivanti | 9.0-r2 (including) | 9.0-r2 (including) |
| Policy_secure | Ivanti | 9.0-r2.1 (including) | 9.0-r2.1 (including) |
| Policy_secure | Ivanti | 9.0-r3 (including) | 9.0-r3 (including) |
| Policy_secure | Ivanti | 9.0-r3.1 (including) | 9.0-r3.1 (including) |
| Policy_secure | Ivanti | 9.0-r4 (including) | 9.0-r4 (including) |
| Policy_secure | Ivanti | 9.1 (including) | 9.1 (including) |
| Policy_secure | Ivanti | 9.1-r1 (including) | 9.1-r1 (including) |
| Policy_secure | Ivanti | 9.1-r10 (including) | 9.1-r10 (including) |
| Policy_secure | Ivanti | 9.1-r11 (including) | 9.1-r11 (including) |
| Policy_secure | Ivanti | 9.1-r12 (including) | 9.1-r12 (including) |
| Policy_secure | Ivanti | 9.1-r13 (including) | 9.1-r13 (including) |
| Policy_secure | Ivanti | 9.1-r13.1 (including) | 9.1-r13.1 (including) |
| Policy_secure | Ivanti | 9.1-r14 (including) | 9.1-r14 (including) |
| Policy_secure | Ivanti | 9.1-r15 (including) | 9.1-r15 (including) |
| Policy_secure | Ivanti | 9.1-r16 (including) | 9.1-r16 (including) |
| Policy_secure | Ivanti | 9.1-r17 (including) | 9.1-r17 (including) |
| Policy_secure | Ivanti | 9.1-r18 (including) | 9.1-r18 (including) |
| Policy_secure | Ivanti | 9.1-r18.1 (including) | 9.1-r18.1 (including) |
| Policy_secure | Ivanti | 9.1-r18.2 (including) | 9.1-r18.2 (including) |
| Policy_secure | Ivanti | 9.1-r2 (including) | 9.1-r2 (including) |
| Policy_secure | Ivanti | 9.1-r3 (including) | 9.1-r3 (including) |
| Policy_secure | Ivanti | 9.1-r3.1 (including) | 9.1-r3.1 (including) |
| Policy_secure | Ivanti | 9.1-r4 (including) | 9.1-r4 (including) |
| Policy_secure | Ivanti | 9.1-r4.1 (including) | 9.1-r4.1 (including) |
| Policy_secure | Ivanti | 9.1-r4.2 (including) | 9.1-r4.2 (including) |
| Policy_secure | Ivanti | 9.1-r4.3 (including) | 9.1-r4.3 (including) |
| Policy_secure | Ivanti | 9.1-r5 (including) | 9.1-r5 (including) |
| Policy_secure | Ivanti | 9.1-r6 (including) | 9.1-r6 (including) |
| Policy_secure | Ivanti | 9.1-r7 (including) | 9.1-r7 (including) |
| Policy_secure | Ivanti | 9.1-r8 (including) | 9.1-r8 (including) |
| Policy_secure | Ivanti | 9.1-r8.1 (including) | 9.1-r8.1 (including) |
| Policy_secure | Ivanti | 9.1-r8.2 (including) | 9.1-r8.2 (including) |
| Policy_secure | Ivanti | 9.1-r9 (including) | 9.1-r9 (including) |
| Policy_secure | Ivanti | 22.1-r1 (including) | 22.1-r1 (including) |
| Policy_secure | Ivanti | 22.1-r6 (including) | 22.1-r6 (including) |
| Policy_secure | Ivanti | 22.2-r1 (including) | 22.2-r1 (including) |
| Policy_secure | Ivanti | 22.2-r3 (including) | 22.2-r3 (including) |
| Policy_secure | Ivanti | 22.3-r1 (including) | 22.3-r1 (including) |
| Policy_secure | Ivanti | 22.3-r3 (including) | 22.3-r3 (including) |
| Policy_secure | Ivanti | 22.4-r1 (including) | 22.4-r1 (including) |
| Policy_secure | Ivanti | 22.4-r2 (including) | 22.4-r2 (including) |
| Policy_secure | Ivanti | 22.4-r2.1 (including) | 22.4-r2.1 (including) |
| Policy_secure | Ivanti | 22.5-r1 (including) | 22.5-r1 (including) |
| Policy_secure | Ivanti | 22.6-r1 (including) | 22.6-r1 (including) |
Related Attack Patterns
References
- https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
- https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21893