CVE-2024-22023

MEDIUM

Ivanti Connect/Ivanti Policy <9.x,22.x - DoS

Title source: llm

Description

An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

References (1)

[Vendor Advisory] https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Scores

CVSS v3 5.3

EPSS 0.0072

EPSS Percentile 72.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-703 CWE-476

Status published

Products (9)

ivanti/connect_secure 9.1 r1 (22 CPE variants)

ivanti/connect_secure 22.1

ivanti/connect_secure 22.2

ivanti/connect_secure 22.3

ivanti/connect_secure 22.4

ivanti/connect_secure 22.5

ivanti/connect_secure 22.6

ivanti/policy_secure 9.0 (7 CPE variants)

ivanti/policy_secure 9.1 (15 CPE variants)

Published Apr 04, 2024

Tracked Since Feb 18, 2026