Unspecified SQL Injection Vulnerability Affects Ivanti Endpoint Manager Prior to 2022 SU 5
CVE-2023-39336

8.8HIGH

Key Information:

Vendor: Ivanti
Status: Endpoint Manager
Vendor: CVE Published:; 9 January 2024

Summary

An SQL Injection vulnerability exists within Ivanti Endpoint Manager versions released before 2022 SU 5, permitting attackers with internal network access to execute arbitrary SQL queries without authentication. This flaw poses a risk of unauthorized data retrieval and may lead to remote code execution on the core server under certain conditions. Organizations using the affected software should assess their security posture and implement necessary mitigations to protect their systems from potential exploitation.

Affected Version(s)

Endpoint Manager 2022 SU 5

References

https://forums.ivanti.com/s/article/SA-2023-12-19-CVE-202...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2024
Vulnerability Reserved
Jul 28, 2023

Collectors

NVD DatabaseMitre Database