CVE-2024-11633

Published: Dec 10, 2024Modified: Jan 17, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution

Affected (12)

Products: Ivanti: Connect Secure

Ivanti

1 product

Connect Secure

Configuration A

12 vulnerable

Vulnerable Software	Affected Versions
Ivanti Connect Secure	Before 22.7
Ivanti Connect Secure	Version 22.7
Ivanti Connect Secure	Version 22.7 r1.1
Ivanti Connect Secure	Version 22.7 r1.2
Ivanti Connect Secure	Version 22.7 r1.3
Ivanti Connect Secure	Version 22.7 r1.4
Ivanti Connect Secure	Version 22.7 r1.5
Ivanti Connect Secure	Version 22.7 r1
Ivanti Connect Secure	Version 22.7 r2.1
Ivanti Connect Secure	Version 22.7 r2.2
Ivanti Connect Secure	Version 22.7 r2.3
Ivanti Connect Secure	Version 22.7 r2

Related CWEs

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References (1)

https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs

Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Vendor Advisory

Timeline

No history available yet.