CVE-2023-35084 - OpenCVE

Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ivanti	Endpoint Manager

Configuration 1 [-]

OR	cpe:2.3:a:ivanti:endpoint_manager::::::::
	cpe:2.3:a:ivanti:endpoint_manager:2022:-::::::
	cpe:2.3:a:ivanti:endpoint_manager:2022:su1::::::
	cpe:2.3:a:ivanti:endpoint_manager:2022:su2::::::
	cpe:2.3:a:ivanti:endpoint_manager:2022:su3::::::

References

Link	Resource
https://forums.ivanti.com/s/article/SA-2023-08-08-CVE-2023-35084?language=en_US	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2023-10-18T03:52:06.581Z

Updated: 2023-10-18T03:52:06.581Z

Reserved: 2023-06-13T01:00:11.784Z

Link: CVE-2023-35084

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-18T04:15:11.027

Modified: 2023-10-25T00:17:27.200

Link: CVE-2023-35084

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1F6549B-CF5D-4607-B67D-5489905A1705", "versionEndExcluding": "2022", "vulnerable": true}, {"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*", "matchCriteriaId": "46580865-5177-4E55-BDAC-73DA4B472B35", "vulnerable": true}, {"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*", "matchCriteriaId": "E57E12B5-B789-450C-9476-6C4C151E6993", "vulnerable": true}, {"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*", "matchCriteriaId": "E47C65B3-56DD-4D65-8B4B-6AFFE28E94F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*", "matchCriteriaId": "10D6EAB7-B14B-45E9-92B9-4FADFBBB08AF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely."}, {"lang": "es", "value": "La Deserializaci\u00f3n Insegura de la Entrada del Usuario podr\u00eda provocar la ejecuci\u00f3n de operaciones no autorizadas en Ivanti Endpoint Manager 2022 su3 y todas las versiones anteriores, lo que podr\u00eda permitir a un atacante ejecutar comandos de forma remota."}], "id": "CVE-2023-35084", "lastModified": "2023-10-25T00:17:27.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-18T04:15:11.027", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://forums.ivanti.com/s/article/SA-2023-08-08-CVE-2023-35084?language=en_US"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}