vulnerability
Pulse Secure Pulse Connect Secure: SA:CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow), CVE-2024-22023 (XML entity expansion or XXE) and CVE-2024-29205 for Ivanti Connect Secure and Ivanti Policy Secure Gateways
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:N/A:P) | Apr 2, 2024 | Apr 12, 2024 | Mar 26, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
Apr 2, 2024
Added
Apr 12, 2024
Modified
Mar 26, 2026
Description
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.
Solutions
pulse-secure-pulse-connect-secure-upgrade-9_0r0pulse-secure-pulse-connect-secure-upgrade-22_0r0
References
- CVE-2024-22023
- https://attackerkb.com/topics/CVE-2024-22023
- https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-19629
- CWE-476
- CWE-703
- EUVD-EUVD-2024-19629
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.