In /ldclient/ldprov.cgi in Ivanti Endpoint Manager through 2020.1.1, an attacker is able to disclose information about the server operating system, local pathnames, and environment variables with no authentication required.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13772
Reference (s):
- https://forums.ivanti.com/s/
- https://labs.jumpsec.com/cve-2020-13772-ivanti-uem-system-information-disclosure/