Ivanti Endpoint Manager Mobile Remote Unauthenticated API Access (CVE-2023-35078)

critical Nessus Plugin ID 179167

Synopsis

Ivanti Endpoint Manager Mobile, formerly MobileIron Core, running on the remote host is affected by a remote unauthenticated api access vulnerability.

Description

The version of Ivanti Endpoint Manager Mobile, formerly MobileIron Core, running on the remote host is affected by an undisclosed unauthenticated API access vulnerability.

Solution

Update to Ivanti Endpoint Manager Mobile version 11.8.1.1, 11.9.1.1, or 11.10.0.2 or later

See Also

http://www.nessus.org/u?d43cfc54

http://www.nessus.org/u?1598cf70

Plugin Details

Severity: Critical

ID: 179167

File Name: ivanti_endpoint_manager_mobile_CVE-2023-35078.nbin

Version: 1.11

Type: remote

Family: Misc.

Published: 8/1/2023

Updated: 2/22/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-35078

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mobileiron:core, cpe:/a:ivanti:mobileiron

Required KB Items: installed_sw/MobileIron Core

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/24/2023

Vulnerability Publication Date: 7/24/2023

CISA Known Exploited Vulnerability Due Dates: 8/15/2023

Reference Information

CVE: CVE-2023-35078

IAVA: 2023-A-0383