CVE-2024-29822 : An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Published 2024-05-31 18:15:11

Updated 2024-10-03 16:45:19

Source HackerOne

View at NVD, CVE.org

Vulnerability category: Sql InjectionExecute code

Products affected by CVE-2024-29822

Ivanti » Endpoint Manager
Versions before (<) 2022
cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
Matching versions
Ivanti » Endpoint Manager
Versions up to, including, (<=) 2022
cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
Matching versions
Ivanti » Endpoint Manager » Version: 2022 Update SU1
cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*
Matching versions
Ivanti » Endpoint Manager » Version: 2022
cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*
Matching versions
Ivanti » Endpoint Manager » Version: 2022 Update SU2
cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*
Matching versions
Ivanti » Endpoint Manager » Version: 2022 Update SU3
cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*
Matching versions
Ivanti » Endpoint Manager » Version: 2022 Update SU4
cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*
Matching versions
Ivanti » Endpoint Manager » Version: 2022 Update SU5
cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-29822

EPSS FAQ

0.43%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 62 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-29822

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.6	CRITICAL	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	2.8	6.0	HackerOne	2024-05-31
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST	2024-10-03
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-29822

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2024-29822

https://forums.ivanti.com/s/article/Security-Advisory-May-2024

Security Advisory May 2024
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-29822

Products affected by CVE-2024-29822

Exploit prediction scoring system (EPSS) score for CVE-2024-29822

CVSS scores for CVE-2024-29822

CWE ids for CVE-2024-29822

References for CVE-2024-29822