CVE-2024-39711

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

Published: Nov 13, 2024 / Updated: 7d ago

010
No CVSS yetEPSS 0.04%
CVE info copied to clipboard

Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Timeline

CVE Assignment

NVD published the first details for CVE-2024-39711

Nov 13, 2024 at 2:15 AM
First Article

Feedly found the first article mentioning CVE-2024-39711. See article

Nov 13, 2024 at 2:21 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 13, 2024 at 2:21 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.1%)

Nov 13, 2024 at 5:07 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (211454)

Nov 15, 2024 at 8:16 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (211467)

Nov 16, 2024 at 12:15 AM
Static CVE Timeline Graph

Affected Systems

Ivanti/connect_secure
+null more

Attack Patterns

CAPEC-137: Parameter Injection
+null more

News

Ivanti Policy Secure 22.7R1.2 (Build 1485) Multiple Vulnerabilities
- Command injection in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. - Argument injection in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Pulse Connect Secure < 9.1R18.7 / < 22.7R2.1 Multiple Vulnerabilities (000096001)
Nessus Plugin ID 211454 with Critical Severity Synopsis The remote host is missing one or more security updates. Description The version of Pulse Connect Secure installed on the remote host is prior to 9.1R18.7 or 22.7R2.1. It is, therefore, affected by multiple vulnerabilities as referenced in the 000096001 advisory. - Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (CVE-2024-39710, CVE-2024-39711, CVE-2024-39712) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Upgrade to Pulse Connect Secure version 9.1R18.7 / 22.7R2.1 or later. Read more at https://www.tenable.com/plugins/nessus/211454
Multiple Vulnerabilities in Ivanti Products (November 2024) - Policy Secure
Development Last Updated: 11/15/2024 CVEs: CVE-2024-29211 , CVE-2024-39709 , CVE-2024-9843 , CVE-2024-38654 , CVE-2024-39711 , CVE-2024-37400 , CVE-2024-11005 , CVE-2024-7571 , CVE-2024-11007 , CVE-2024-8495 , CVE-2024-38656 , CVE-2024-47905 , CVE-2024-37398 , CVE-2024-47907 , CVE-2024-38655 , CVE-2024-38649 , CVE-2024-11004 , CVE-2024-9420 , CVE-2024-11006 , CVE-2024-39710 , CVE-2024-47909 , CVE-2024-8539 , CVE-2024-47906 , CVE-2024-39712
Focus Friday: Third-Party Risk Insights Into Atlassian Jira, Ivanti Connect Secure, and Nostromo nhttpd Vulnerabilities With Black Kite’s FocusTags™
Black Kite’s FocusTag™ for Atlassian Jira, published on November 13, 2024, enables TPRM professionals to identify vendors potentially affected by CVE-2021-26086. Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2021-26086 because it allows unauthorized access to sensitive files on vulnerable Jira instances.
Ivanti Releases Fixes for Multiple Vulnerabilities Impacting Connect Secure, Policy Secure, and Secure Access Client
Ivanti Policy Secure (IPS) is a Network Access Control (NAC) solution providing access to authorized and secured users and devices. All the vulnerabilities have a CVSS score of 9.1, impacting various Connect Secure and Policy Secure versions.
See 11 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI