{"id":"CVE-2024-21887","details":"A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)  allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.","modified":"2026-05-04T08:42:02.360176Z","published":"2024-01-12T17:15:10.017Z","withdrawn":"2026-05-04T08:42:02.360176Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887"},{"type":"ADVISORY","url":"https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21887.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r10"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r11"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r11\\.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r11\\.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r11\\.5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r12"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r12\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r13"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r13\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r14"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r15"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r15\\.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r16"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r16\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r17"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r17\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r18"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r4\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r4\\.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r4\\.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r7"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r8\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r8\\.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r9"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r9\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.1-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.1-r6"}]},{"events":[{"introduced":"0"},{"last_affected":"22.2-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"22.2-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.3-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.4-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.4-r2\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.5-r2\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.6-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"22.6-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.6-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r10"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r11"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r12"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r13"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r13\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r14"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r15"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r16"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r17"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r18"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r3\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r4\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r4\\.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r7"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r8\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r8\\.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1-r9"}]},{"events":[{"introduced":"0"},{"last_affected":"22.1-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.1-r6"}]},{"events":[{"introduced":"0"},{"last_affected":"22.2-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.2-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"22.3-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.3-r3"}]},{"events":[{"introduced":"0"},{"last_affected":"22.4-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.4-r2"}]},{"events":[{"introduced":"0"},{"last_affected":"22.4-r2\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.5-r1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.5-r2\\.1"}]},{"events":[{"introduced":"0"},{"last_affected":"22.6-r1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}