CVE-2023-39336: SQL Injection
First published: Tue Jan 09 2024(Updated: )
An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this may also lead to RCE on the core server.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ivanti Endpoint Manager (EPM) | <2022 | |
| Ivanti Endpoint Manager (EPM) | =2022 | |
| Ivanti Endpoint Manager (EPM) | =2022-su1 | |
| Ivanti Endpoint Manager (EPM) | =2022-su2 | |
| Ivanti Endpoint Manager (EPM) | =2022-su3 | |
| Ivanti Endpoint Manager (EPM) | =2022-su4 | |
| Ivanti Endpoint Management | =2022 Service Update 5 | |
| Ivanti Endpoint Manager Mobile | ||
| Ivanti Sentry | ||
| Ivanti Avalanche | ||
| Perforce Helix Core Server | ||
| Apache Struts 2 | ||
| Sophos firewalls | ||
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2023-39336?
CVE-2023-39336 is classified as a critical SQL Injection vulnerability that may allow an attacker to execute arbitrary SQL queries.
How do I fix CVE-2023-39336?
To mitigate CVE-2023-39336, update Ivanti Endpoint Manager and other affected products to the latest security patch or version.
What products are affected by CVE-2023-39336?
CVE-2023-39336 affects multiple Ivanti products including Ivanti Endpoint Management, Ivanti Endpoint Manager Mobile, and others released prior to 2022 SU 5.
Can exploitation of CVE-2023-39336 lead to remote code execution?
Yes, under specific circumstances, exploitation of CVE-2023-39336 may lead to remote code execution.
Who can exploit CVE-2023-39336?
An attacker with access to the internal network can exploit CVE-2023-39336 without the need for authentication.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/author
- agent/weakness
- agent/description
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-29847
- alias/CVE-2023-39336
- alias/CVE-2024-21887
- alias/CVE-2023-46805
- alias/CVE-2024-21893
- agent/references
- agent/trending
- agent/event
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- vendor/ivanti
- canonical/ivanti endpoint manager (epm)
- version/ivanti endpoint manager (epm)/2022
- version/ivanti endpoint manager (epm)/2022-su1
- version/ivanti endpoint manager (epm)/2022-su2
- version/ivanti endpoint manager (epm)/2022-su3
- version/ivanti endpoint manager (epm)/2022-su4
- canonical/ivanti endpoint management
- version/ivanti endpoint management/2022 service update 5
- canonical/ivanti endpoint manager mobile
- canonical/ivanti sentry
- canonical/ivanti avalanche
- vendor/perforce
- canonical/perforce helix core server
- vendor/apache
- canonical/apache struts 2
- vendor/sophos
- canonical/sophos firewalls
- vendor/wordpress