Ivanti Connect Secure XML Entity Expansion Vulnerability Could Lead to Limited-Time DoS

CVE-2024-22023

5.3MEDIUM

Key Information

Vendor: Ivanti
Status: Connect Secure; Policy Secure
Vendor: CVE Published:; 4 April 2024

Summary

An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

Affected Version(s)

Connect Secure < 22.1R6.2

Connect Secure < 22.2R4.2

Connect Secure < 22.3R1.2

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Apr 4, 2024

Collectors

NVD DatabaseMitre Database