CVE-2023-39339: 
Ivanti Policy Secure vulnerability analysis and mitigation

A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request. The vulnerability was assigned CVE-2023-39339 and was discovered as part of Ivanti's normal quarterly security review process (Ivanti Blog).

The vulnerability is classified as CWE-22, which refers to 'Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)'. According to the CVSS 3.0 scoring, it received a base score of 4.9 (MEDIUM) with the following vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating that while the vulnerability requires high privileges, it can be exploited over the network with low attack complexity (NVD).

The vulnerability allows an authenticated administrator to perform arbitrary file read operations through specially crafted web requests. This could potentially lead to unauthorized access to sensitive system files and information disclosure (NVD).

Ivanti has released version 22.6R1 of Policy Secure to address this vulnerability. Customers are encouraged to upgrade to this version or later to remediate the issue. The security updates are available through Ivanti's Download Center (Ivanti Blog).