CVE-2024-22052

Description

A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected products

Ivanti / Connect Secure22.1R6.2 – 22.1R6.2
Ivanti / Connect Secure22.2R4.2 – 22.2R4.2
Ivanti / Connect Secure22.3R1.2 – 22.3R1.2
Ivanti / Connect Secure22.4R1.2 – 22.4R1.2
Ivanti / Connect Secure22.4R2.4 – 22.4R2.4
Ivanti / Connect Secure22.5R1.3 – 22.5R1.3
Ivanti / Connect Secure22.5R2.4 – 22.5R2.4
Ivanti / Connect Secure22.6R2.3 – 22.6R2.3
Ivanti / Connect Secure9.1R14.6 – 9.1R14.6
Ivanti / Connect Secure9.1R15.4 – 9.1R15.4
Ivanti / Connect Secure9.1R16.4 – 9.1R16.4
Ivanti / Connect Secure9.1R17.4 – 9.1R17.4
Ivanti / Connect Secure9.1R18.5 – 9.1R18.5
Ivanti / Policy Secure22.4R1.2 – 22.4R1.2
Ivanti / Policy Secure22.5R1.3 – 22.5R1.3
Ivanti / Policy Secure22.6R1.2 – 22.6R1.2
Ivanti / Policy Secure9.1R16.4 – 9.1R16.4
Ivanti / Policy Secure9.1R17.4 – 9.1R17.4
Ivanti / Policy Secure9.1R18.5 – 9.1R18.5

References

MISChttps://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US