CVE-2023-38344

An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access.

Published: Sep 21, 2023
Updated: Sep 26, 2023
CVE: CVE-2023-38344
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
ivanti / endpoint_manager	2022-su1	2022-su1.x
ivanti / endpoint_manager	-	2022
ivanti / endpoint_manager	2022	2022.x
ivanti / endpoint_manager	2022-su2	2022-su2.x
ivanti / endpoint_manager	2022-su3	2022-su3.x

https://gist.github.com/bhyahoo/76533e91840200a1d9f3fb1eb87eb0f1
https://www.ivanti.com/releases

Vulnerability Database

CVE-2023-38344