Security News > 2023 > August > Ivanti discloses another vulnerability in MobileIron Core (CVE-2023-35082)

Ivanti discloses another vulnerability in MobileIron Core (CVE-2023-35082)
2023-08-03 10:41

Ivanti has disclosed a critical vulnerability affecting old, out-of-support versions of MobileIron Core, an enterprise device solution that has since been rebranded to Ivanti Endpoint Manager Mobile.

"The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug. It had not previously been identified as a vulnerability," noted Ivanti.

"Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application's security filter chain, Rapid7 would consider this new vulnerability a patch bypass for CVE-2023-35078 as it pertains to version 11.2 and below of the product," said Stephen Fewer, principal security researcher at Rapid7, who disclosed this vulnerability to Ivanti.

MobileIron Core v11.2 is no longer supported and Ivanti will not be releasing a patch for this or earlier vulnerable versions.

"We are actively working with our customers to upgrade to the latest version of Ivanti Endpoint Manager Mobile or migrate to the cloud version of the product, Ivanti Neurons for MDM," the IT software maker says.

"Additionally, should a separate vulnerability be present in the API, an attacker can chain these vulnerabilities together. For example, CVE-2023-35081 could be chained with CVE-2023-35082 to allow an attacker write malicious webshell files to the appliance, which may then be executed by the attacker," Fewer added.


News URL

https://www.helpnetsecurity.com/2023/08/03/cve-2023-35082/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-08-15 CVE-2023-35082 Improper Authentication vulnerability in Ivanti Endpoint Manager Mobile
An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
network
low complexity
ivanti CWE-287
critical
9.8
2023-08-03 CVE-2023-35081 Path Traversal vulnerability in Ivanti Endpoint Manager Mobile
A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance.
network
low complexity
ivanti CWE-22
7.2
2023-07-25 CVE-2023-35078 Improper Authentication vulnerability in Ivanti Endpoint Manager Mobile
An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
network
low complexity
ivanti CWE-287
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Ivanti 27 0 51 157 75 283
Mobileiron 8 0 1 2 5 8