CVE-2024-8963: Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
First published: Thu Sep 19 2024(Updated: )
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
Credit: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ivanti Cloud Services Appliance (CSA) | ||
| Ivanti Endpoint Manager Cloud Services Appliance | =4.6 | |
| Ivanti Endpoint Manager Cloud Services Appliance | =4.6-patch_512 | |
| Ivanti Endpoint Manager Cloud Services Appliance | =4.6-patch_518 |
Remedy
As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive security updates.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963
- https://nvd.nist.gov/vuln/detail/CVE-2024-8963
- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-another-critical-csa-flaw-exploited-in-attacks/
- https://www.theregister.com/2024/09/20/patch_up_ivanti_fixes_exploited/
- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-three-more-csa-zero-days-exploited-in-attacks/
- https://www.theregister.com/2024/10/10/cisa_ivanti_fortinet_vulns/
- agent/type
- agent/remedy
- agent/title
- agent/description
- agent/first-publish-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/author
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-8963
- alias/CVE-2024-8190
- collector/the-register
- source/The Register
- alias/CVE-2024-1708
- alias/CVE-2024-20345
- collector/nvd-api
- source/NVD
- agent/severity
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- collector/nvd-cve
- alias/CVE-2024-9379
- alias/CVE-2024-9380
- alias/CVE-2024-9381
- agent/references
- agent/tags
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- alias/CVE-2024-23113
- vendor/ivanti
- canonical/ivanti cloud services appliance (csa)
- canonical/ivanti endpoint manager cloud services appliance
- version/ivanti endpoint manager cloud services appliance/4.6
- version/ivanti endpoint manager cloud services appliance/4.6-patch_512
- version/ivanti endpoint manager cloud services appliance/4.6-patch_518