Main Vulnerability Database SB2024052216

SB2024052216 - CRLF injection in Ivanti Connect Secure and Ivanti Policy Secure

Published: May 22, 2024

Security Bulletin ID SB2024052216

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) CRLF injection (CVE-ID: CVE-2023-38551)

The vulnerability allows a remote user to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data. A remote privileged user can pass specially crafted data to the application containing CR-LF characters and modify application behavior, leading to cross-site scripting attacks.

Remediation

Install update from vendor's website.

References

https://forums.ivanti.com/s/article/Security-Advisory-May-2024?language=en_US
https://forums.ivanti.com/s/article/KB-Security-Advisory-Ivanti-Connect-Secure-Ivanti-Policy-Secure-May-2024?language=en_US