PT-2020-13671 · Ivanti · Ivanti Endpoint Manager

Andrei Constantin Scutariu

Published

2020-11-16

Updated

2020-11-21

CVE-2020-13772

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Ivanti Endpoint Manager versions through 2020.1.1

Description The issue allows an attacker to disclose information about the server operating system, local pathnames, and environment variables with no authentication required. This is possible through the /ldclient/ldprov.cgi endpoint.

Recommendations For Ivanti Endpoint Manager versions through 2020.1.1, consider restricting access to the /ldclient/ldprov.cgi endpoint until a patch is available. As a temporary workaround, limit the information disclosed by the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2020-13772

Affected Products

Ivanti Endpoint Manager

PT-2020-13671 · Ivanti · Ivanti Endpoint Manager

CVE-2020-13772

Related Identifiers

Affected Products

References · 7