What is the severity of CVE-2024-21893?

CVE-2024-21893 is considered a critical vulnerability due to its potential to allow unauthorized access to restricted resources.

How do I fix CVE-2024-21893?

To mitigate CVE-2024-21893, it is recommended to apply the latest security patches released by Ivanti for affected products.

Which products are affected by CVE-2024-21893?

CVE-2024-21893 affects Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access versions 9.x and 22.x.

How can attackers exploit CVE-2024-21893?

Attackers can exploit CVE-2024-21893 through server-side request forgery to access restricted resources without authentication.

Is there a known active exploit for CVE-2024-21893?

Yes, there are reports indicating that CVE-2024-21893 is actively being exploited in the wild.

Vulnerability/
CVE-2024-21893

Exploited

high

8.2

CWE

918 77

EPSS

96.249%

31/1/2024

29/11/2024

CVE-2024-21893: Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability

First published: Wed Jan 31 2024(Updated: )

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Credit: support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
Ivanti Connect Secure, Policy Secure, and Neurons
Ivanti Connect Secure	=9.0
Ivanti Connect Secure	=9.0-r1
Ivanti Connect Secure	=9.0-r2
Ivanti Connect Secure	=9.0-r2.1
Ivanti Connect Secure	=9.0-r3
Ivanti Connect Secure	=9.0-r3.1
Ivanti Connect Secure	=9.0-r3.2
Ivanti Connect Secure	=9.0-r3.3
Ivanti Connect Secure	=9.0-r3.5
Ivanti Connect Secure	=9.0-r4
Ivanti Connect Secure	=9.0-r4.1
Ivanti Connect Secure	=9.0-r5.0
Ivanti Connect Secure	=9.0-r6.0
Ivanti Connect Secure	=9.1-r1
Ivanti Connect Secure	=9.1-r10
Ivanti Connect Secure	=9.1-r11
Ivanti Connect Secure	=9.1-r11.3
Ivanti Connect Secure	=9.1-r11.4
Ivanti Connect Secure	=9.1-r11.5
Ivanti Connect Secure	=9.1-r12
Ivanti Connect Secure	=9.1-r12.1
Ivanti Connect Secure	=9.1-r13
Ivanti Connect Secure	=9.1-r13.1
Ivanti Connect Secure	=9.1-r14
Ivanti Connect Secure	=9.1-r15
Ivanti Connect Secure	=9.1-r15.2
Ivanti Connect Secure	=9.1-r16
Ivanti Connect Secure	=9.1-r16.1
Ivanti Connect Secure	=9.1-r17
Ivanti Connect Secure	=9.1-r17.1
Ivanti Connect Secure	=9.1-r18
Ivanti Connect Secure	=9.1-r18.1
Ivanti Connect Secure	=9.1-r18.2
Ivanti Connect Secure	=9.1-r2
Ivanti Connect Secure	=9.1-r3
Ivanti Connect Secure	=9.1-r4
Ivanti Connect Secure	=9.1-r4.1
Ivanti Connect Secure	=9.1-r4.2
Ivanti Connect Secure	=9.1-r4.3
Ivanti Connect Secure	=9.1-r5
Ivanti Connect Secure	=9.1-r6
Ivanti Connect Secure	=9.1-r7
Ivanti Connect Secure	=9.1-r8
Ivanti Connect Secure	=9.1-r8.1
Ivanti Connect Secure	=9.1-r8.2
Ivanti Connect Secure	=9.1-r9
Ivanti Connect Secure	=9.1-r9.1
Ivanti Connect Secure	=21.9-r1
Ivanti Connect Secure	=21.12-r1
Ivanti Connect Secure	=22.1-r1
Ivanti Connect Secure	=22.1-r6
Ivanti Connect Secure	=22.2
Ivanti Connect Secure	=22.2-r1
Ivanti Connect Secure	=22.3-r1
Ivanti Connect Secure	=22.4-r1
Ivanti Connect Secure	=22.4-r2.1
Ivanti Connect Secure	=22.6
Ivanti Connect Secure	=22.6-r1
Ivanti Connect Secure	=22.6-r2
Ivanti Connect Secure	=22.6-r2.1
Ivanti Neurons for Zero-Trust Access
Ivanti Policy Secure	=9.0
Ivanti Policy Secure	=9.0-r1
Ivanti Policy Secure	=9.0-r2
Ivanti Policy Secure	=9.0-r2.1
Ivanti Policy Secure	=9.0-r3
Ivanti Policy Secure	=9.0-r3.1
Ivanti Policy Secure	=9.0-r4
Ivanti Policy Secure	=9.1
Ivanti Policy Secure	=9.1-r1
Ivanti Policy Secure	=9.1-r10
Ivanti Policy Secure	=9.1-r11
Ivanti Policy Secure	=9.1-r12
Ivanti Policy Secure	=9.1-r13
Ivanti Policy Secure	=9.1-r13.1
Ivanti Policy Secure	=9.1-r14
Ivanti Policy Secure	=9.1-r15
Ivanti Policy Secure	=9.1-r16
Ivanti Policy Secure	=9.1-r17
Ivanti Policy Secure	=9.1-r18
Ivanti Policy Secure	=9.1-r18.1
Ivanti Policy Secure	=9.1-r18.2
Ivanti Policy Secure	=9.1-r2
Ivanti Policy Secure	=9.1-r3
Ivanti Policy Secure	=9.1-r3.1
Ivanti Policy Secure	=9.1-r4
Ivanti Policy Secure	=9.1-r4.1
Ivanti Policy Secure	=9.1-r4.2
Ivanti Policy Secure	=9.1-r4.3
Ivanti Policy Secure	=9.1-r5
Ivanti Policy Secure	=9.1-r6
Ivanti Policy Secure	=9.1-r7
Ivanti Policy Secure	=9.1-r8
Ivanti Policy Secure	=9.1-r8.1
Ivanti Policy Secure	=9.1-r8.2
Ivanti Policy Secure	=9.1-r9
Ivanti Policy Secure	=22.1-r1
Ivanti Policy Secure	=22.1-r6
Ivanti Policy Secure	=22.2-r1
Ivanti Policy Secure	=22.2-r3
Ivanti Policy Secure	=22.3-r1
Ivanti Policy Secure	=22.3-r3
Ivanti Policy Secure	=22.4-r1
Ivanti Policy Secure	=22.4-r2
Ivanti Policy Secure	=22.4-r2.1
Ivanti Policy Secure	=22.5-r1
Ivanti Policy Secure	=22.6-r1
Ivanti Neurons for Zero-Trust Access	=22.2-r1
Ivanti Neurons for Zero-Trust Access	=22.2-r4
Ivanti Neurons for Zero-Trust Access	=22.2-r5
Ivanti Neurons for Zero-Trust Access	=22.3-r1
Ivanti Neurons for Zero-Trust Access	=22.3-r4
Ivanti Neurons for Zero-Trust Access	=22.4-r1
Ivanti Neurons for Zero-Trust Access	=22.4-r3
Ivanti Neurons for Zero-Trust Access	=22.5-r1
Ivanti Neurons for Zero-Trust Access	=22.5-r1.2
Ivanti Neurons for Zero-Trust Access	=22.6-r1
Ivanti Neurons for Zero-Trust Access	=22.6-r1.2

Remedy

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Never miss a vulnerability like this again

Reference Links

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

What is the severity of CVE-2024-21893?
CVE-2024-21893 is considered a critical vulnerability due to its potential to allow unauthorized access to restricted resources.
How do I fix CVE-2024-21893?
To mitigate CVE-2024-21893, it is recommended to apply the latest security patches released by Ivanti for affected products.
Which products are affected by CVE-2024-21893?
CVE-2024-21893 affects Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access versions 9.x and 22.x.
How can attackers exploit CVE-2024-21893?
Attackers can exploit CVE-2024-21893 through server-side request forgery to access restricted resources without authentication.
Is there a known active exploit for CVE-2024-21893?
Yes, there are reports indicating that CVE-2024-21893 is actively being exploited in the wild.

collector/bleeping-computer
source/BleepingComputer
alias/CVE-2024-21893
alias/CVE-2024-21888
alias/CVE-2023-46805
alias/CVE-2024-21887
agent/type
collector/the-register
source/The Register
agent/remedy
agent/title
agent/first-publish-date
agent/description
alias/CVE-2024-22024
alias/CVE-2021-22893
agent/weakness
alias/CVE-2023-41265
alias/CVE-2023-41266
alias/CVE-2023-48365
alias/CVE-2022-24086
agent/severity
alias/CVE-2023-41724
alias/CVE-2023-46808
alias/CVE-2024-21894
collector/epss-latest
source/FIRST
agent/epss
zeroday/true
agent/news-ai
collector/mitre-cve
source/MITRE
alias/CVE-2024-7593
alias/CVE-2024-7569
exploited/true
collector/cisa-known-exploited
source/CISA
agent/software-canonical-lookup
agent/author
alias/CVE-2024-29847
alias/CVE-2023-39336
agent/references
collector/nvd-api
source/NVD
agent/last-modified-date
agent/event
agent/softwarecombine
collector/nvd-cve
agent/tags
agent/trending
agent/source
vendor/ivanti
canonical/ivanti connect secure, policy secure, and neurons
canonical/ivanti connect secure
version/ivanti connect secure/9.0
version/ivanti connect secure/9.0-r1
version/ivanti connect secure/9.0-r2
version/ivanti connect secure/9.0-r2.1
version/ivanti connect secure/9.0-r3
version/ivanti connect secure/9.0-r3.1
version/ivanti connect secure/9.0-r3.2
version/ivanti connect secure/9.0-r3.3
version/ivanti connect secure/9.0-r3.5
version/ivanti connect secure/9.0-r4
version/ivanti connect secure/9.0-r4.1
version/ivanti connect secure/9.0-r5.0
version/ivanti connect secure/9.0-r6.0
version/ivanti connect secure/9.1-r1
version/ivanti connect secure/9.1-r10
version/ivanti connect secure/9.1-r11
version/ivanti connect secure/9.1-r11.3
version/ivanti connect secure/9.1-r11.4
version/ivanti connect secure/9.1-r11.5
version/ivanti connect secure/9.1-r12
version/ivanti connect secure/9.1-r12.1
version/ivanti connect secure/9.1-r13
version/ivanti connect secure/9.1-r13.1
version/ivanti connect secure/9.1-r14
version/ivanti connect secure/9.1-r15
version/ivanti connect secure/9.1-r15.2
version/ivanti connect secure/9.1-r16
version/ivanti connect secure/9.1-r16.1
version/ivanti connect secure/9.1-r17
version/ivanti connect secure/9.1-r17.1
version/ivanti connect secure/9.1-r18
version/ivanti connect secure/9.1-r18.1
version/ivanti connect secure/9.1-r18.2
version/ivanti connect secure/9.1-r2
version/ivanti connect secure/9.1-r3
version/ivanti connect secure/9.1-r4
version/ivanti connect secure/9.1-r4.1
version/ivanti connect secure/9.1-r4.2
version/ivanti connect secure/9.1-r4.3
version/ivanti connect secure/9.1-r5
version/ivanti connect secure/9.1-r6
version/ivanti connect secure/9.1-r7
version/ivanti connect secure/9.1-r8
version/ivanti connect secure/9.1-r8.1
version/ivanti connect secure/9.1-r8.2
version/ivanti connect secure/9.1-r9
version/ivanti connect secure/9.1-r9.1
version/ivanti connect secure/21.9-r1
version/ivanti connect secure/21.12-r1
version/ivanti connect secure/22.1-r1
version/ivanti connect secure/22.1-r6
version/ivanti connect secure/22.2
version/ivanti connect secure/22.2-r1
version/ivanti connect secure/22.3-r1
version/ivanti connect secure/22.4-r1
version/ivanti connect secure/22.4-r2.1
version/ivanti connect secure/22.6
version/ivanti connect secure/22.6-r1
version/ivanti connect secure/22.6-r2
version/ivanti connect secure/22.6-r2.1
canonical/ivanti policy secure
version/ivanti policy secure/9.0
version/ivanti policy secure/9.0-r1
version/ivanti policy secure/9.0-r2
version/ivanti policy secure/9.0-r2.1
version/ivanti policy secure/9.0-r3
version/ivanti policy secure/9.0-r3.1
version/ivanti policy secure/9.0-r4
version/ivanti policy secure/9.1
version/ivanti policy secure/9.1-r1
version/ivanti policy secure/9.1-r10
version/ivanti policy secure/9.1-r11
version/ivanti policy secure/9.1-r12
version/ivanti policy secure/9.1-r13
version/ivanti policy secure/9.1-r13.1
version/ivanti policy secure/9.1-r14
version/ivanti policy secure/9.1-r15
version/ivanti policy secure/9.1-r16
version/ivanti policy secure/9.1-r17
version/ivanti policy secure/9.1-r18
version/ivanti policy secure/9.1-r18.1
version/ivanti policy secure/9.1-r18.2
version/ivanti policy secure/9.1-r2
version/ivanti policy secure/9.1-r3
version/ivanti policy secure/9.1-r3.1
version/ivanti policy secure/9.1-r4
version/ivanti policy secure/9.1-r4.1
version/ivanti policy secure/9.1-r4.2
version/ivanti policy secure/9.1-r4.3
version/ivanti policy secure/9.1-r5
version/ivanti policy secure/9.1-r6
version/ivanti policy secure/9.1-r7
version/ivanti policy secure/9.1-r8
version/ivanti policy secure/9.1-r8.1
version/ivanti policy secure/9.1-r8.2
version/ivanti policy secure/9.1-r9
version/ivanti policy secure/22.1-r1
version/ivanti policy secure/22.1-r6
version/ivanti policy secure/22.2-r1
version/ivanti policy secure/22.2-r3
version/ivanti policy secure/22.3-r1
version/ivanti policy secure/22.3-r3
version/ivanti policy secure/22.4-r1
version/ivanti policy secure/22.4-r2
version/ivanti policy secure/22.4-r2.1
version/ivanti policy secure/22.5-r1
version/ivanti policy secure/22.6-r1
canonical/ivanti neurons for zero-trust access
version/ivanti neurons for zero-trust access/22.2-r1
version/ivanti neurons for zero-trust access/22.2-r4
version/ivanti neurons for zero-trust access/22.2-r5
version/ivanti neurons for zero-trust access/22.3-r1
version/ivanti neurons for zero-trust access/22.3-r4
version/ivanti neurons for zero-trust access/22.4-r1
version/ivanti neurons for zero-trust access/22.4-r3
version/ivanti neurons for zero-trust access/22.5-r1
version/ivanti neurons for zero-trust access/22.5-r1.2
version/ivanti neurons for zero-trust access/22.6-r1
version/ivanti neurons for zero-trust access/22.6-r1.2

CVE-2024-21893: Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability

Remedy

Never miss a vulnerability like this again

Reference Links

Peer vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2024-21893?

How do I fix CVE-2024-21893?

Which products are affected by CVE-2024-21893?

How can attackers exploit CVE-2024-21893?

Is there a known active exploit for CVE-2024-21893?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2024-21893?

How do I fix CVE-2024-21893?

Which products are affected by CVE-2024-21893?

How can attackers exploit CVE-2024-21893?

Is there a known active exploit for CVE-2024-21893?