Ivanti Connect Secure XML Entity Expansion Vulnerability Could Lead to Limited-Time DoS
CVE-2024-22023

5.3MEDIUM

Key Information:

Vendor: Ivanti
Status: Connect Secure; Policy Secure
Vendor: CVE Published:; 4 April 2024

Summary

An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

Affected Version(s)

Connect Secure 22.1R6.2

Connect Secure 22.2R4.2

Connect Secure 22.3R1.2

References

https://forums.ivanti.com/s/article/New-CVE-2024-21894-He...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 4, 2024

Collectors

NVD DatabaseMitre Database