CVE-2024-47906

Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.

CVSS v3.0 7.8 HIGH

7.8^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ivanti:policy_secure::::::::
	cpe:2.3:a:ivanti:connect_secure::::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.5::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.4::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.3::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.2::::::
	cpe:2.3:a:ivanti:connect_secure::::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:-::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.1::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2.1::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2.2::::::
	cpe:2.3:a:ivanti:policy_secure:22.7:r1::::::
	cpe:2.3:a:ivanti:policy_secure:22.7:r1.1::::::
	cpe:2.3:a:ivanti:policy_secure::::::::

History

17 Jan 2025, 20:27

Type	Values Removed	Values Added
CWE		NVD-CWE-Other CWE-426
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
First Time		Ivanti connect Secure Ivanti policy Secure Ivanti
CPE		cpe:2.3:a:ivanti:connect_secure:22.7:r2.1:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1.5:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1.2:::::: cpe:2.3:a:ivanti:connect_secure:22.7:-:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1.3:::::: cpe:2.3:a:ivanti:policy_secure:22.7:r1.1:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2.2:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1.1:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1.4:::::: cpe:2.3:a:ivanti:policy_secure:::::::: cpe:2.3:a:ivanti:policy_secure:22.7:r1:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2:::::: cpe:2.3:a:ivanti:connect_secure::::::::
References	~~() https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs -~~	() https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs - Vendor Advisory
Summary	Excessive binary privileges in Ivanti Connect Secure which affects versions 22.4R2 through 22.7R2.2 inclusive within the R2 release line and Ivanti Policy Secure before version 22.7R1.2 allow a local authenticated attacker to escalate privileges.	Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.

12 Nov 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-12 16:15

Updated : 2025-01-17 20:27

NVD link : CVE-2024-47906

Mitre link : CVE-2024-47906

JSON object : View

Products Affected

ivanti

policy_secure
connect_secure

CWE

NVD-CWE-Other CWE-426

Untrusted Search Path

7.8 /10