CVE-2023-39336

HIGH

Ivanti Endpoint Manager < 2022 SU 5 - Unauthenticated SQL Injection

Title source: llm

Description

An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this may also lead to RCE on the core server.

References (1)

Core 1

Core References

Vendor Advisory

https://forums.ivanti.com/s/article/SA-2023-12-19-CVE-2023-39336?language=en_US

Scores

CVSS v3 8.8

EPSS 0.0074

EPSS Percentile 73.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (2)

ivanti/endpoint_manager 2022 (5 CPE variants)

ivanti/endpoint_manager < 2022

Published Jan 09, 2024

Tracked Since Feb 18, 2026