Ivanti this week announced patches for multiple high-severity vulnerabilities in Endpoint Manager and Endpoint Manager for Mobile, including a hotfix for an SQL injection flaw.
Tracked as CVE-2024-37381 (CVSS score of 8.4) and impacting the Core server of Endpoint Manager (EPM) 2024 flat, the SQL injection could be exploited by authenticated attackers with network access to execute arbitrary code.
The hot patch released this week is supported for EPM 2024 flat only, but Ivanti intends to release security updates that fully address the vulnerability.
Ivanti says it is not aware of this vulnerability being exploited in the wild against its customers.
On Wednesday, the company also released patches for four vulnerabilities impacting all versions of its Endpoint Manager for Mobile (EPMM) product.
Three of the flaws, tracked as CVE-2024-36130, CVE-2024-36131 and CVE-2024-36132, are high-severity bugs. The first two allow attackers “within the network to execute arbitrary commands on the underlying operating system of the appliance”, while the third leads to authentication bypass and sensitive information disclosure.
EPMM (Core) versions 11.12.0.3, 12.0.0.3 and 12.1.0.1 address these security defects along with a medium-severity improper authentication issue that could allow attackers to access potentially sensitive information.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” Ivanti notes in its advisory.
This week, the company also announced patches for CVE-2024-37403, a medium-severity path traversal-affiliated vulnerability in Ivanti Docs@Work for Android.
The security defect, referred to as Dirty Stream and disclosed by Microsoft earlier this year, is related to a data and file sharing mechanism on Android, and could allow malicious applications to overwrite files in other applications’ home directory, potentially leading to code execution.
In Ivanti’s case, successful exploitation of the vulnerability could allow malicious applications to read sensitive information stored in the Docs@Work for Android’s root folder.
Docs@Work for Android version 2.26.1 addresses the bug and is now available for all Ivanti customers. The company says it is not aware of any public exploitation of the bug.
“These vulnerabilities do not impact any other Ivanti products or solutions,” the company says.
Related: Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager
Related: Ivanti Patches 27 Vulnerabilities in Avalanche MDM Product
Related: Magnet Goblin Delivers Linux Malware Using One-Day Vulnerabilities
