CVE-2024-22023

Name of the Vulnerable Software and Affected Versions Ivanti Connect Secure versions 9.x through 22.x Ivanti Policy Secure versions 9.x through 22.x

Description The issue is related to an XML entity expansion or XEE vulnerability in the SAML component, allowing an unauthenticated attacker to send specially crafted XML requests, causing temporary resource exhaustion and resulting in a limited-time Denial of Service (DoS). Additionally, there is a mention of a heap overflow vulnerability in the IPSec component that can cause the service to crash, leading to a DoS attack, and potentially allow reading contents from memory under certain conditions.

Recommendations For Ivanti Connect Secure versions 9.x through 22.x: Update to a version that includes a fix for the XML entity expansion vulnerability and the heap overflow vulnerability in the IPSec component. For Ivanti Policy Secure versions 9.x through 22.x: Update to a version that includes a fix for the XML entity expansion vulnerability and the heap overflow vulnerability in the IPSec component. As a temporary workaround, consider restricting access to the SAML component and the IPSec component to minimize the risk of exploitation.