Security Bulletin: CVE-2017-11463

Version 1


    An authenticated attacker with low privileges and access to the network can view, edit and delete data (related to users) when using Workspaces and no configuration alterations have been made to limit end user privileges, visible fields or data partitioning


    Affected software versions

    1. Ivanti Service Desk (formerly LANDESK Service Desk) all product versions between 2016.3 and 2017.3


    Ivanti recommends customers to update their software installations by following the following instructions:

    1. Ensure that end user roles restrict read and update access to objects and attributes as appropriate
    2. Ensure that forms published for end users do not include fields that are not necessary for end users to see
    3. Ensure that data partitioning is configured appropriately for the requirements of the customer
    4. Upgrade to Ivanti Service Desk 2017.3 and apply Service Update 001, available from the downloads section