CVE-2024-13159 - Vulnerability Details - OpenCVE

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6

History

Tue, 14 Jan 2025 17:30:00 +0000

Type	Values Removed	Values Added
Description		Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Weaknesses		CWE-36
References		https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: ivanti

Published: 2025-01-14T17:12:57.652Z

Updated: 2025-01-14T17:12:57.652Z

Reserved: 2025-01-07T02:28:21.601Z

Link: CVE-2024-13159

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-01-14T18:15:26.243

Modified: 2025-01-14T18:15:26.243

Link: CVE-2024-13159

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-13159", "assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "state": "PUBLISHED", "assignerShortName": "ivanti", "dateReserved": "2025-01-07T02:28:21.601Z", "datePublished": "2025-01-14T17:12:57.652Z", "dateUpdated": "2025-01-14T17:12:57.652Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Endpoint Manager", "vendor": "Ivanti", "versions": [{"status": "unaffected", "version": "2024 January-2025 Security Update", "versionType": "custom"}, {"status": "unaffected", "version": "2022 SU6 January-2025 Security Update", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>"}], "value": "Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information."}], "impacts": [{"capecId": "CAPEC-597", "descriptions": [{"lang": "en", "value": "CAPEC-597 Absolute Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-36", "description": "CWE-36 Absolute Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "shortName": "ivanti", "dateUpdated": "2025-01-14T17:12:57.652Z"}, "references": [{"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}}}