SecuriTricks - CVE-2024-29211

Description

A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files.

Product(s) Impacted

Vendor	Product	Versions
Ivanti	Secure Access Client	*, 22.7

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	ivanti	secure_access_client	/	/	/	/	/	/	/	/
a	ivanti	secure_access_client	22.7	-	/	/	/	/	/	/
a	ivanti	secure_access_client	22.7	r1	/	/	/	/	/	/
a	ivanti	secure_access_client	22.7	r2	/	/	/	/	/	/
a	ivanti	secure_access_client	22.7	r3	/	/	/	/	/	/

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

CVSS Score

4.7 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

View Vector String

Timeline

Published: Nov. 13, 2024, 2:15 a.m.
Last Modified: Nov. 14, 2024, 7:09 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

support@hackerone.com

CVE-2024-29211