CVE-2023-41474
published 2024-01-25CVE-2023-41474: Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the…
PriorityP350medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
37.61%
98.3th percentile
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | avalanche | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/AvalancheWeb//faces/java.faces.resource/
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Avalanche Directory Traversal Attempt (CVE-2023-41474)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/AvalancheWeb//faces/java.faces.resource/"; fast_pattern; startswith; content:"?loc|3d|"; content:"|2e|"; distance:0; reference:cve,2023-41474; reference:url,github.com/JBalanza/CVE-2023-41474; classtype:attempted-admin; sid:2050604; rev:2; metadata:affected_product Ivanti, created_at 2024_01_30, cve CVE_2023_41474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_23, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
- →Directory traversal requests target the path /AvalancheWeb//faces/java.faces.resource/ via HTTP GET, with a query string containing ?loc= (URL-encoded as ?loc|3d|) followed by a dot-encoded path separator (|2e|), indicating traversal sequences in the loc parameter.
- →The attack is performed by a remote authenticated attacker via the javax.faces.resource component; monitor authenticated sessions making GET requests to the AvalancheWeb faces resource path. ↗
- →Snort/Suricata SID 2050604 (ET rule, rev:2) can be used to detect exploitation attempts at the network perimeter, internal segments, and on SSL-decrypted traffic.
- →PoC/exploit reference available at github.com/JBalanza/CVE-2023-41474; monitor for exploitation tooling sourced from this repository.
- ·The vulnerability affects specifically Ivanti Avalanche version 6.3.4.153; verify the deployed version before applying detection rules to avoid false positives on patched instances. ↗
- ·The ET rule specifies SSL-decrypted traffic as a deployment target (deployment SSLDecrypt), meaning detection will be blind on HTTPS traffic without TLS inspection in place.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2023-41474
vendor_ivanti·2024-01-25·CVSS 6.5
CVE-2023-41474 [MEDIUM] CWE-22 Ivanti Security Advisory: CVE-2023-41474
Ivanti Security Advisory: CVE-2023-41474
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.
CVE IDs: CVE-2023-41474
CVSS Base Score: 6.5
Severity: MEDIUM
CWEs: CWE-22
GHSA
GHSA-pqh2-qcg3-9x62: Directory Traversal vulnerability in Ivanti Avalanche 6
ghsa_unreviewed·2024-01-25
CVE-2023-41474 [MEDIUM] CWE-22 GHSA-pqh2-qcg3-9x62: Directory Traversal vulnerability in Ivanti Avalanche 6
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.
Suricata
ET WEB_SPECIFIC_APPS Ivanti Avalanche Directory Traversal Attempt (CVE-2023-41474)
suricata·2024-01-30·CVSS 6.5
CVE-2023-41474 [MEDIUM] ET WEB_SPECIFIC_APPS Ivanti Avalanche Directory Traversal Attempt (CVE-2023-41474)
ET WEB_SPECIFIC_APPS Ivanti Avalanche Directory Traversal Attempt (CVE-2023-41474)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Avalanche Directory Traversal Attempt (CVE-2023-41474)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/AvalancheWeb//faces/java.faces.resource/"; fast_pattern; startswith; content:"?loc|3d|"; content:"|2e|"; distance:0; reference:cve,2023-41474; reference:url,github.com/JBalanza/CVE-2023-41474; classtype:attempted-admin; sid:2050604; rev:2; metadata:affected_product Ivanti, created_at 2024_01_30, cve CVE_2023_41474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_23, m
No public exploits indexed.
No writeups or analysis indexed.
2024-01-25
Published