CVE-2024-9420

Published: Nov 12, 2024Modified: Mar 13, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution

Affected (72)

Products: Ivanti: Connect Secure, Policy Secure

Ivanti

2 products

Connect Secure

Policy Secure

Configuration A

72 vulnerable

Vulnerable Software	Affected Versions
Ivanti Connect Secure	Before 9.1
Ivanti Connect Secure	From 21.9 to 22.7
Ivanti Connect Secure	Version 22.7
Ivanti Connect Secure	Version 22.7 r1.1
Ivanti Connect Secure	Version 22.7 r1.2
Ivanti Connect Secure	Version 22.7 r1.3
Ivanti Connect Secure	Version 22.7 r1.4
Ivanti Connect Secure	Version 22.7 r1.5
Ivanti Connect Secure	Version 22.7 r1
Ivanti Connect Secure	Version 22.7 r2.1
Ivanti Connect Secure	Version 22.7 r2.2
Ivanti Connect Secure	Version 22.7 r2
Ivanti Connect Secure	Version 9.1
Ivanti Connect Secure	Version 9.1 r1.0
Ivanti Connect Secure	Version 9.1 r10.0
Ivanti Connect Secure	Version 9.1 r10.2
Ivanti Connect Secure	Version 9.1 r10
Ivanti Connect Secure	Version 9.1 r11.0
Ivanti Connect Secure	Version 9.1 r11.1
Ivanti Connect Secure	Version 9.1 r11.3
Ivanti Connect Secure	Version 9.1 r11.4
Ivanti Connect Secure	Version 9.1 r11.5
Ivanti Connect Secure	Version 9.1 r11
Ivanti Connect Secure	Version 9.1 r12.1
Ivanti Connect Secure	Version 9.1 r12.2
Ivanti Connect Secure	Version 9.1 r12
Ivanti Connect Secure	Version 9.1 r13.1
Ivanti Connect Secure	Version 9.1 r13
Ivanti Connect Secure	Version 9.1 r14.4
Ivanti Connect Secure	Version 9.1 r14
Ivanti Connect Secure	Version 9.1 r15.2
Ivanti Connect Secure	Version 9.1 r15
Ivanti Connect Secure	Version 9.1 r16.1
Ivanti Connect Secure	Version 9.1 r16
Ivanti Connect Secure	Version 9.1 r17.1
Ivanti Connect Secure	Version 9.1 r17.2
Ivanti Connect Secure	Version 9.1 r17
Ivanti Connect Secure	Version 9.1 r18.1
Ivanti Connect Secure	Version 9.1 r18.2
Ivanti Connect Secure	Version 9.1 r18.3
Ivanti Connect Secure	Version 9.1 r18.7
Ivanti Connect Secure	Version 9.1 r18.8
Ivanti Connect Secure	Version 9.1 r18
Ivanti Connect Secure	Version 9.1 r1
Ivanti Connect Secure	Version 9.1 r2.0
Ivanti Connect Secure	Version 9.1 r2
Ivanti Connect Secure	Version 9.1 r3.0
Ivanti Connect Secure	Version 9.1 r3
Ivanti Connect Secure	Version 9.1 r4.0
Ivanti Connect Secure	Version 9.1 r4.1
Ivanti Connect Secure	Version 9.1 r4.2
Ivanti Connect Secure	Version 9.1 r4.3
Ivanti Connect Secure	Version 9.1 r4
Ivanti Connect Secure	Version 9.1 r5.0
Ivanti Connect Secure	Version 9.1 r5
Ivanti Connect Secure	Version 9.1 r6.0
Ivanti Connect Secure	Version 9.1 r6
Ivanti Connect Secure	Version 9.1 r7.0
Ivanti Connect Secure	Version 9.1 r7
Ivanti Connect Secure	Version 9.1 r8.0
Ivanti Connect Secure	Version 9.1 r8.1
Ivanti Connect Secure	Version 9.1 r8.2
Ivanti Connect Secure	Version 9.1 r8.4
Ivanti Connect Secure	Version 9.1 r8
Ivanti Connect Secure	Version 9.1 r9.0
Ivanti Connect Secure	Version 9.1 r9.1
Ivanti Connect Secure	Version 9.1 r9.2
Ivanti Connect Secure	Version 9.1 r9
Ivanti Policy Secure	Before 22.7
Ivanti Policy Secure	Version 22.7
Ivanti Policy Secure	Version 22.7 r1.1
Ivanti Policy Secure	Version 22.7 r1

Related CWEs

CWE-416

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (1)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Vendor Advisory

Timeline

No history available yet.