cbcvebase.
CVE-2024-38652
published 2024-08-14

CVE-2024-38652: Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary…

PriorityP267critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
7.60%
93.8th percentile
Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.

Affected

14 ranges
VendorProductVersion rangeFixed in
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche>= 6.4.4 < 6.4.46.4.4

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in the skin management component of Ivanti Avalanche 6.3.1; monitor for unauthenticated HTTP requests targeting skin management endpoints containing path traversal sequences (e.g., '../') that could reach arbitrary file paths.
  • ·Affected version is Ivanti Avalanche 6.3.1; the vulnerability is exploitable by remote unauthenticated attackers, meaning no credentials are required — perimeter controls alone are insufficient if the skin management component is internet-exposed.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.