CVE-2023-28323

2023-07-0100:15:10

CWE-502

[email protected]

web.nvd.nist.gov

cve-2023-28323

epm

deserialization

security vulnerability

untrusted data

os vulnerabilities

privilege escalation

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

79.1%

JSON

A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine or be used as a stepping stone to get to other network attached machines.

Affected configurations

NVD

Node

ivantiendpoint_managerRange<2022

ivantiendpoint_managerMatch2022-

ivantiendpoint_managerMatch2022su1

ivantiendpoint_managerMatch2022su2

ivantiendpoint_managerMatch2022su3

CPENameOperatorVersion
ivanti:endpoint_managerivanti endpoint managerlt2022

CPE	Name	Operator	Version
ivanti:endpoint_manager	ivanti endpoint manager	lt	2022

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Ivanti",
    "product": "Ivanti Endpoint Manager",
    "versions": [
      {
        "version": "2022",
        "status": "affected",
        "lessThan": "2022",
        "versionType": "semver"
      }
    ]
  }
]