Detections
Analytics
Ivanti Sentry Authentication Bypass
critical Web App Scanning Plugin ID 114356
Language:
Synopsis
Ivanti Sentry Authentication BypassDescription
Ivanti Sentry, formerly known as MobileIron Sentry, is vulnerable to an API authentication bypass on the Sentry administrator interface. A remote and unauthenticated attacker can leverage this vulnerability to gain access to sensitive APIs and achieve OS command execution as the root user on the vulnerable instance.Solution
Ensure that the Ivanti Sentry appliance is in a supported version and apply the vendor patch according to the deployed version. Restrict access to the System Manager Portal to only trusted IP addresses / locations.See Also
Plugin Details
Severity: Critical
ID: 114356
Type: remote
Family: Component Vulnerability
Published: 6/28/2024
Updated: 6/28/2024
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Critical
Score: 9.0
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2023-38035
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2023-38035
Vulnerability Information
CPE: cpe:2.3:a:ivanti:sentry:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 8/21/2023
Vulnerability Publication Date: 8/21/2023
CISA Known Exploited Vulnerability Due Dates: 9/12/2023
Reference Information
CVE: CVE-2023-38035
CWE: 863
OWASP: 2010-A8, 2013-A7, 2013-A9, 2017-A5, 2017-A9, 2021-A1, 2021-A6
WASC: Insufficient Authorization
DISA STIG: APSC-DV-000460, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1