CVE-2021-30497
published 2022-04-06CVE-2021-30497: Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.58%
99.9th percentile
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | avalanche | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /AvalancheWeb/image with an imageFilePath parameter containing absolute Windows paths (e.g., C:/) indicating path traversal attempts. ↗
- →A successful exploitation response (HTTP 200) to /AvalancheWeb/image?imageFilePath=C:/windows/win.ini will contain the string 'for 16-bit app support' in the response body, confirming arbitrary file read. ↗
- →The vulnerability is exploitable by remote unauthenticated users; monitor for requests to /AvalancheWeb/image lacking authentication headers but containing absolute file paths in the imageFilePath query parameter. ↗
- ·Vulnerability is specific to Ivanti Avalanche (Premise) version 6.3.2 on Windows platforms; the path traversal uses Windows-style absolute paths (C:/) and may not apply to other OS deployments. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2021-30497
vendor_ivanti·2022-04-06·CVSS 7.5
CVE-2021-30497 [HIGH] CWE-22 Ivanti Security Advisory: CVE-2021-30497
Ivanti Security Advisory: CVE-2021-30497
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.
CVE IDs: CVE-2021-30497
CVSS Base Score: 7.5
Severity: HIGH
CWEs: CWE-22
GHSA
GHSA-5pf7-7gpx-8vjv: Ivanti Avalanche (Premise) 6
ghsa_unreviewed·2022-04-07
CVE-2021-30497 [HIGH] CWE-22 GHSA-5pf7-7gpx-8vjv: Ivanti Avalanche (Premise) 6
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.
VulnCheck
Ivanti avalanche Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 7.5
CVE-2021-30497 [HIGH] Ivanti avalanche Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Ivanti avalanche Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.
Affected: Ivanti avalanche
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-31&host_type=src&vulnerability=cve-2021-30497
No detection rules found.
Nuclei
Ivanti Avalanche 6.3.2 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-30497 [HIGH] Ivanti Avalanche 6.3.2 - Local File Inclusion
Ivanti Avalanche 6.3.2 - Local File Inclusion
Ivanti Avalanche 6.3.2 is vulnerable to local file inclusion because it allows remote unauthenticated user to access files that reside outside the 'image' folder.
Template:
id: CVE-2021-30497
info:
name: Ivanti Avalanche 6.3.2 - Local File Inclusion
author: gy741
severity: high
description: Ivanti Avalanche 6.3.2 is vulnerable to local file inclusion because it allows remote unauthenticated user to access files that reside outside the 'image' folder.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the affected system.
remediation: |
Apply the latest security patches or updates provided by Ivanti to fix the LFI vulnerability in Aval
https://forums.ivanti.com/s/article/Security-Alert-CVE-2021-30497-Directory-Traversal-Vulnerability?language=en_UShttps://help.ivanti.com/wl/help/en_us/aod/5.4/Avalanche/Console/Launching_the_Avalanche.htmhttps://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/https://forums.ivanti.com/s/article/Security-Alert-CVE-2021-30497-Directory-Traversal-Vulnerability?language=en_UShttps://help.ivanti.com/wl/help/en_us/aod/5.4/Avalanche/Console/Launching_the_Avalanche.htmhttps://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/
2022-04-06
Published
Exploited in the wild