CVE-2024-34787

Published: Nov 13, 2024Modified: May 1, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

Affected (8)

Products: Ivanti: Endpoint Manager

Ivanti

1 product

Endpoint Manager

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Ivanti Endpoint Manager	Before 2022
Ivanti Endpoint Manager	Version 2022
Ivanti Endpoint Manager	Version 2022 su1
Ivanti Endpoint Manager	Version 2022 su2
Ivanti Endpoint Manager	Version 2022 su3
Ivanti Endpoint Manager	Version 2022 su4
Ivanti Endpoint Manager	Version 2022 su5
Ivanti Endpoint Manager	Version 2024

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (1)

https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022

Source: support@hackerone.com

Vendor Advisory

Timeline

No history available yet.