// For flags

CVE-2023-38035

Ivanti Sentry Authentication Bypass Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

Act
*SSVC
Descriptions

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

Una vulnerabilidad de seguridad en MICS Admin Portal en Ivanti MobileIron Sentry versiones 9.18.0 y anteriores, que puede permitir a un atacante eludir los controles de autenticaciĆ³n en la interfaz administrativa debido a una configuraciĆ³n insuficientemente restrictiva de Apache HTTPD .

Ivanti Sentry, formerly known as MobileIron Sentry, contains an authentication bypass vulnerability that may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Act
Exploitation
Active
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-07-12 CVE Reserved
  • 2023-08-21 CVE Published
  • 2023-08-22 Exploited in Wild
  • 2023-08-23 First Exploit
  • 2023-09-12 KEV Due Date
  • 2024-08-02 CVE Updated
  • 2024-10-30 EPSS Updated
CWE
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ivanti
Search vendor "Ivanti"
 Mobileiron Sentry
Search vendor "Ivanti" for product "Mobileiron Sentry"
 <= 9.18.0
Search vendor "Ivanti" for product "Mobileiron Sentry" and version " <= 9.18.0"
-
Affected