vulnerability
Pulse Secure Pulse Connect Secure: SA:CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow), CVE-2024-22023 (XML entity expansion or XXE) and CVE-2024-29205 for Ivanti Connect Secure and Ivanti Policy Secure Gateways
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:N/A:P) | Apr 2, 2024 | Apr 12, 2024 | Mar 26, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
Apr 2, 2024
Added
Apr 12, 2024
Modified
Mar 26, 2026
Description
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.
Solutions
pulse-secure-pulse-connect-secure-upgrade-9_0r0pulse-secure-pulse-connect-secure-upgrade-22_0r0
References
- CVE-2024-22023
- https://attackerkb.com/topics/CVE-2024-22023
- https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-19629
- CWE-476
- CWE-703
- EUVD-EUVD-2024-19629
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.