cbcvebase.
CVE-2021-30497
published 2022-04-06

CVE-2021-30497: Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.58%
99.9th percentile
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.

Affected

1 ranges
VendorProductVersion rangeFixed in
ivantiavalanche

Detection & IOCsextracted from sources · hover to see the quote

url/AvalancheWeb/image?imageFilePath=C:/windows/win.ini
path/AvalancheWeb/image
pathC:/Windows/system32/config/system.sav
  • Detect unauthenticated GET requests to /AvalancheWeb/image with an imageFilePath parameter containing absolute Windows paths (e.g., C:/) indicating path traversal attempts.
  • A successful exploitation response (HTTP 200) to /AvalancheWeb/image?imageFilePath=C:/windows/win.ini will contain the string 'for 16-bit app support' in the response body, confirming arbitrary file read.
  • The vulnerability is exploitable by remote unauthenticated users; monitor for requests to /AvalancheWeb/image lacking authentication headers but containing absolute file paths in the imageFilePath query parameter.
  • ·Vulnerability is specific to Ivanti Avalanche (Premise) version 6.3.2 on Windows platforms; the path traversal uses Windows-style absolute paths (C:/) and may not apply to other OS deployments.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.