CVE-2021-44529

Type:

Code Injection

Severity:

High

Publication date:

12/08/2021

Last modified:

04/18/2022

Description

A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).

Impact

Access Vector: Through network

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Partially affects on system integrity + Partially affects on system confidentiality + Partially affects on system availability

Vulnerable software and versions

cpe:2.3:a:ivanti:endpoint_manager_cloud_services_appliance:4.6:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager_cloud_services_appliance:*:*:*:*:*:*:*:*

To consult the complete list of products and versions see this page

References to Advisories, Solutions, and Tools

https://forums.ivanti.com/s/article/SA-2021-12-02 (Source: MISC)
http://packetstormsecurity.com/files/166383/Ivanti-Endpoint-Manager-CSA-4.5-4.6-Remote-Code-Execution.html (Source: MISC)

Explanation of fields

Corporate access

CVE-2021-44529