CVE-2023-38343

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928	Third Party Advisory
https://www.ivanti.com/releases	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ivanti:endpoint_manager::::::::
	cpe:2.3:a:ivanti:endpoint_manager:2022:-::::::
	cpe:2.3:a:ivanti:endpoint_manager:2022:su1::::::
	cpe:2.3:a:ivanti:endpoint_manager:2022:su2::::::
	cpe:2.3:a:ivanti:endpoint_manager:2022:su3::::::

History

25 Sep 2023, 17:09

Type	Values Removed	Values Added
First Time		Ivanti Ivanti endpoint Manager
CWE		CWE-611
CPE		cpe:2.3:a:ivanti:endpoint_manager:2022:su3:::::: cpe:2.3:a:ivanti:endpoint_manager:2022:su1:::::: cpe:2.3:a:ivanti:endpoint_manager:2022:-:::::: cpe:2.3:a:ivanti:endpoint_manager:2022:su2:::::: cpe:2.3:a:ivanti:endpoint_manager::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://www.ivanti.com/releases -~~	(MISC) https://www.ivanti.com/releases - Release Notes
References	~~(MISC) https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928 -~~	(MISC) https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928 - Third Party Advisory

21 Sep 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-21 21:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-38343

Mitre link : CVE-2023-38343

CVE.ORG link : CVE-2023-38343

JSON object : View

Products Affected

ivanti

endpoint_manager

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2023-38343", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-09-21T21:15:09.747", "references": [{"url": "https://gist.github.com/bhyahoo/4772330b20057a271f77e690bc70f928", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.ivanti.com/releases", "tags": ["Release Notes"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery."}, {"lang": "es", "value": "Existe una vulnerabilidad XXE (inyecci\u00f3n de entidad externa XML) en el componente CSEP de Ivanti Endpoint Manager antes de 2022 SU4. Las referencias a entidades externas est\u00e1n habilitadas en la configuraci\u00f3n del analizador XML. La explotaci\u00f3n de esta vulnerabilidad puede provocar la divulgaci\u00f3n de archivos o Server Side Request Forgery."}], "lastModified": "2023-09-25T17:09:47.507", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1F6549B-CF5D-4607-B67D-5489905A1705", "versionEndExcluding": "2022"}, {"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46580865-5177-4E55-BDAC-73DA4B472B35"}, {"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E57E12B5-B789-450C-9476-6C4C151E6993"}, {"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E47C65B3-56DD-4D65-8B4B-6AFFE28E94F2"}, {"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10D6EAB7-B14B-45E9-92B9-4FADFBBB08AF"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}