cbcvebase.

Ivanti Avalanche vulnerabilities

117 known vulnerabilities affecting ivanti/avalanche.

Total CVEs
117
CISA KEV
0
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL47HIGH63MEDIUM7

Vulnerabilities

Page 2 of 6
CVE-2021-42127P2CRITICALCVSS 9.8fixed in 6.3.32021-12-07
CVE-2021-42127 [CRITICAL] CWE-502 CVE-2021-42127: A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Info A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
nvd
CVE-2024-24996P2CRITICALCVSS 9.8fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-24996 [CRITICAL] CWE-122 CVE-2024-24996: A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.
nvd
CVE-2023-32562P2CRITICALCVSS 9.8fixed in 6.4.12023-08-10
CVE-2023-32562 [CRITICAL] CWE-434 CVE-2023-32562: An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.
nvd
CVE-2022-36982P2HIGHCVSS 7.5≥ 6.3.3.101, < 6.3.4v6.3.3.1012023-03-29
CVE-2022-36982 [HIGH] CWE-22 CVE-2022-36982: This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivan This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AgentTaskHandler class. The issue results from the lack of proper valida
nvd
CVE-2023-46216P2CRITICALCVSS 9.8fixed in 6.4.22023-12-19
CVE-2023-46216 [CRITICAL] CWE-787 CVE-2023-46216: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46217P2CRITICALCVSS 9.8fixed in 6.4.22023-12-19
CVE-2023-46217 [CRITICAL] CWE-787 CVE-2023-46217: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-41727P2CRITICALCVSS 9.8fixed in 6.4.22023-12-19
CVE-2023-41727 [CRITICAL] CWE-787 CVE-2023-41727: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-32564P2CRITICALCVSS 9.8fixed in 6.4.12023-08-10
CVE-2023-32564 [CRITICAL] CWE-434 CVE-2023-32564: An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
nvd
CVE-2021-42130P2HIGHCVSS 8.8fixed in 6.3.32021-12-07
CVE-2021-42130 [HIGH] CWE-502 CVE-2021-42130: A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.
nvd
CVE-2023-46262P2HIGHCVSS 7.5≤ 6.4.1≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46262 [HIGH] CWE-918 CVE-2023-46262: An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Requ An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.
nvd
CVE-2021-42131P2HIGHCVSS 8.8fixed in 6.3.32021-12-07
CVE-2021-42131 [HIGH] CWE-89 CVE-2021-42131: A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
nvd
CVE-2022-44574P2HIGHCVSS 7.5fixed in 6.4.02023-03-10
CVE-2022-44574 [HIGH] CWE-287 CVE-2022-44574: An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthen An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port.
nvd
CVE-2024-29848P2HIGHCVSS 7.2fixed in 6.4.3.602≥ 6.4.3, ≤ 6.4.32024-05-31
CVE-2024-29848 [HIGH] CWE-434 CVE-2024-29848: An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows a An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.
nvd
CVE-2022-36983P2CRITICALCVSS 9.8≥ 6.3.3.101, < 6.3.4v6.3.3.1012023-03-29
CVE-2022-36983 [CRITICAL] CWE-306 CVE-2022-36983: This vulnerability allows remote attackers to bypass authentication on affected installations of Iva This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage
nvd
CVE-2024-29204P2CRITICALCVSS 9.8fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-29204 [CRITICAL] CWE-122 CVE-2024-29204: A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allow A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
nvd
CVE-2024-22061P2CRITICALCVSS 9.8fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-22061 [CRITICAL] CWE-77 CVE-2024-22061: A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
nvd
CVE-2024-47011P2HIGHCVSS 7.5fixed in 6.4.52024-10-08
CVE-2024-47011 [HIGH] CWE-22 CVE-2024-47011: Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information
nvd
CVE-2022-36979P2CRITICALCVSS 9.8≥ 6.3.2.3490, < 6.3.4v6.3.2.34902023-03-29
CVE-2022-36979 [CRITICAL] CWE-89 CVE-2022-36979: This vulnerability allows remote attackers to bypass authentication on affected installations of Iva This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSupport class. A crafted request can trigger execution
nvd
CVE-2024-47009P2CRITICALCVSS 9.8fixed in 6.4.52024-10-08
CVE-2024-47009 [CRITICAL] CWE-22 CVE-2024-47009: Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
nvd
CVE-2022-36978P2CRITICALCVSS 9.8≥ 6.3.2.3490, < 6.3.4v6.3.2.34902023-03-29
CVE-2022-36978 [CRITICAL] CWE-502 CVE-2022-36978: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Iv This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Notification Server service. The issue results from the lack of
nvd
Ivanti Avalanche vulnerabilities | cvebase