Ivanti Avalanche vulnerabilities
117 known vulnerabilities affecting ivanti/avalanche.
Total CVEs
117
CISA KEV
0
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL47HIGH63MEDIUM7
Vulnerabilities
Page 1 of 6
CVE-2023-32563P1CRITICALCVSS 9.8ExploitedPoCfixed in 6.4.12023-08-10
CVE-2023-32563 [CRITICAL] CWE-22 CVE-2023-32563: An unauthenticated attacker could achieve the code execution through a RemoteControl server.
An unauthenticated attacker could achieve the code execution through a RemoteControl server.
nvd
CVE-2024-38653P1HIGHCVSS 7.5ExploitedPoCv6.3.1v6.3.1.1507+12 more2024-08-14
CVE-2024-38653 [HIGH] CWE-611 CVE-2024-38653: XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
nvd
CVE-2021-30497P1HIGHCVSS 7.5ExploitedPoCv6.3.22022-04-06
CVE-2021-30497 [HIGH] CWE-22 CVE-2021-30497: Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Abs
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav
nvd
CVE-2023-32560P1CRITICALCVSS 9.8PoCfixed in 6.4.12023-08-10
CVE-2023-32560 [CRITICAL] CWE-787 CVE-2023-32560: An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could resu
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution.
Thanks to a Researcher at Tenable for finding and reporting.
Fixed in version 6.4.1.
nvd
CVE-2023-28128P2HIGHCVSS 7.2PoC≤ 6.3.4.153vAvalanche version 6.3.x and below2023-05-09
CVE-2023-28128 [HIGH] CWE-434 CVE-2023-28128: An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.
nvd
CVE-2022-36981P1CRITICALCVSS 9.8≥ 6.3.3.101, < 6.3.4v6.3.3.1012023-03-29
CVE-2022-36981 [CRITICAL] CWE-22 CVE-2022-36981: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Iv
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DeviceLogResource class. The issue results from the lack of proper
nvd
CVE-2022-36974P1CRITICALCVSS 9.8≥ 6.3.2.3490, < 6.3.4v6.3.2.34902023-03-29
CVE-2022-36974 [CRITICAL] CWE-502 CVE-2022-36974: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Iv
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Web File Server service. The issue results from the lack of prop
nvd
CVE-2023-46264P1CRITICALCVSS 9.8fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46264 [CRITICAL] CWE-434 CVE-2023-46264: An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
nvd
CVE-2024-13179P1CRITICALCVSS 9.8fixed in 6.4.72025-01-14
CVE-2024-13179 [CRITICAL] CWE-22 CVE-2024-13179: Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
nvd
CVE-2023-46263P1CRITICALCVSS 9.8fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46263 [CRITICAL] CWE-434 CVE-2023-46263: An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.
nvd
CVE-2024-47010P1CRITICALCVSS 9.8fixed in 6.4.52024-10-08
CVE-2024-47010 [CRITICAL] CWE-22 CVE-2024-47010: Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
nvd
CVE-2021-42125P2HIGHCVSS 8.8fixed in 6.3.32021-12-07
CVE-2021-42125 [HIGH] CWE-502 CVE-2021-42125: An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker
An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.
nvd
CVE-2021-42129P2HIGHCVSS 8.8fixed in 6.3.32021-12-07
CVE-2021-42129 [HIGH] CWE-77 CVE-2021-42129: A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with ac
A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
nvd
CVE-2024-24992P2HIGHCVSS 8.8fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-24992 [HIGH] CWE-22 CVE-2024-24992: A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote aut
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
nvd
CVE-2022-36980P2HIGHCVSS 8.1≥ 6.3.2.3490, < 6.3.4v6.3.2.34902023-03-29
CVE-2022-36980 [HIGH] CWE-367 CVE-2022-36980: This vulnerability allows remote attackers to bypass authentication on affected installations of Iva
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the EnterpriseServer service. The issue results from the lack of proper l
nvd
CVE-2024-24994P2HIGHCVSS 8.8fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-24994 [HIGH] CWE-22 CVE-2024-24994: A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote aut
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
nvd
CVE-2024-23535P2HIGHCVSS 8.8fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-23535 [HIGH] CWE-22 CVE-2024-23535: A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote aut
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
nvd
CVE-2021-22962P2CRITICALCVSS 9.1fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2021-22962 [CRITICAL] CVE-2021-22962: An attacker can send a specially crafted request which could lead to leakage of sensitive data or po
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
nvd
CVE-2021-42132P2HIGHCVSS 8.8fixed in 6.3.32021-12-07
CVE-2021-42132 [HIGH] CWE-77 CVE-2021-42132: A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with ac
A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
nvd
CVE-2024-13181P2CRITICALCVSS 9.8fixed in 6.4.62025-01-14
CVE-2024-13181 [CRITICAL] CWE-22 CVE-2024-13181: Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.
nvd
1 / 6Next →