CVE-2023-39339 PUBLISHED

Assigner: hackerone
Reserved: 28.07.2023 Published: 12.07.2025 Updated: 14.07.2025

A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request.

Metrics

CVSS 3.0

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 4.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.0

Product Status

Vendor	Ivanti
Product	Policy Secure
Versions	Default: unaffected affected from 22.6R1 to 22.6R1 (excl.)

References

https://forums.ivanti.com/s/article/Security-patch-release-Ivanti-Policy-Secure-22-6R1