CVE-2023-38344
MEDIUMIvanti Endpoint Manager <2022 SU4 - Info Disclosure
Title source: llmDescription
An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access.
References (2)
Core 2
Core References
Third Party Advisory
https://gist.github.com/bhyahoo/76533e91840200a1d9f3fb1eb87eb0f1
Release Notes
https://www.ivanti.com/releases
Scores
CVSS v3
6.5
EPSS
0.0059
EPSS Percentile
69.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
ivanti/endpoint_manager
2022 (4 CPE variants)
ivanti/endpoint_manager
< 2022
Published
Sep 21, 2023
Tracked Since
Feb 18, 2026