CVE-2024-39710
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
Published: Nov 13, 2024 / Updated: 7d ago
010
No CVSS yetEPSS 0.04%
CVE info copied to clipboard
Argument injection in Ivanti Connect Secure before version 22.7R2 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Timeline
CVE Assignment
NVD published the first details for CVE-2024-39710
Nov 13, 2024 at 2:15 AM
First Article
Feedly found the first article mentioning CVE-2024-39710. See article
Nov 13, 2024 at 2:21 AM / Vulners.com RSS Feed
CVSS Estimate
Feedly estimated the CVSS score as HIGH
Nov 13, 2024 at 2:21 AM
Detection in Vulnerability Scanners
Detection for the vulnerability has been added to Nessus (211454)
Nov 15, 2024 at 8:16 PM
Detection in Vulnerability Scanners
Detection for the vulnerability has been added to Nessus (211467)
Nov 16, 2024 at 12:15 AM
Affected Systems
Ivanti/connect_secure
+null more
Attack Patterns
CAPEC-137: Parameter Injection
+null more
News
Ivanti Policy Secure 22.7R1.2 (Build 1485) Multiple Vulnerabilities
- Command injection in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. - Argument injection in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Pulse Connect Secure < 9.1R18.7 / < 22.7R2.1 Multiple Vulnerabilities (000096001)
Nessus Plugin ID 211454 with Critical Severity Synopsis The remote host is missing one or more security updates. Description The version of Pulse Connect Secure installed on the remote host is prior to 9.1R18.7 or 22.7R2.1. It is, therefore, affected by multiple vulnerabilities as referenced in the 000096001 advisory. - Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (CVE-2024-39710, CVE-2024-39711, CVE-2024-39712) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Upgrade to Pulse Connect Secure version 9.1R18.7 / 22.7R2.1 or later. Read more at https://www.tenable.com/plugins/nessus/211454
Multiple Vulnerabilities in Ivanti Products (November 2024) - Policy Secure
Development Last Updated: 11/15/2024 CVEs: CVE-2024-29211 , CVE-2024-39709 , CVE-2024-9843 , CVE-2024-38654 , CVE-2024-39711 , CVE-2024-37400 , CVE-2024-11005 , CVE-2024-7571 , CVE-2024-11007 , CVE-2024-8495 , CVE-2024-38656 , CVE-2024-47905 , CVE-2024-37398 , CVE-2024-47907 , CVE-2024-38655 , CVE-2024-38649 , CVE-2024-11004 , CVE-2024-9420 , CVE-2024-11006 , CVE-2024-39710 , CVE-2024-47909 , CVE-2024-8539 , CVE-2024-47906 , CVE-2024-39712
Focus Friday: Third-Party Risk Insights Into Atlassian Jira, Ivanti Connect Secure, and Nostromo nhttpd Vulnerabilities With Black Kite’s FocusTags™
Black Kite’s FocusTag™ for Atlassian Jira, published on November 13, 2024, enables TPRM professionals to identify vendors potentially affected by CVE-2021-26086. Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2021-26086 because it allows unauthorized access to sensitive files on vulnerable Jira instances.
Ivanti Releases Fixes for Multiple Vulnerabilities Impacting Connect Secure, Policy Secure, and Secure Access Client
Ivanti Policy Secure (IPS) is a Network Access Control (NAC) solution providing access to authorized and secured users and devices. All the vulnerabilities have a CVSS score of 9.1, impacting various Connect Secure and Policy Secure versions.
See 11 more articles and social media posts