Ivanti has alerted shoppers of yet a further superior-severity security flaw in its Connect Safe, Plan Secure, and ZTA gateway products that could allow for attackers to bypass authentication.
The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring method.
“An XML exterior entity or XXE vulnerability in the SAML component of Ivanti Join Secure (9.x, 22.x), Ivanti Policy Protected (9.x, 22.x) and ZTA gateways which makes it possible for an attacker to obtain particular limited methods devoid of authentication,” the firm explained in an advisory.
The firm mentioned it found out the flaw during an internal assessment as component of its ongoing investigation into various security weaknesses in the solutions that have come to light because the start off of the yr, which includes CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.
CVE-2024-22024 influences the pursuing versions of the merchandise –
- Ivanti Hook up Safe (variations 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1)
- Ivanti Coverage Safe (model 22.5R1.1)
- ZTA (edition 22.6R1.3)
Patches for the bug are offered in Connect Protected variations 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2 Coverage Safe variations 9.1R17.3, 9.1R18.4, and 22.5R1.2 and ZTA versions 22.5R1.6, 22.6R1.5, and 22.6R1.7.
Ivanti reported there is no proof of lively exploitation of the flaw, but with CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 coming under broad abuse, it can be very important that users go promptly to utilize the latest fixes.
Uncovered this article attention-grabbing? Observe us on Twitter and LinkedIn to examine additional exceptional information we put up.
Some parts of this article are sourced from: