cbcvebase.

Ivanti Avalanche vulnerabilities

117 known vulnerabilities affecting ivanti/avalanche.

Total CVEs
117
CISA KEV
0
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL47HIGH63MEDIUM7

Vulnerabilities

Page 3 of 6
CVE-2022-36977P2CRITICALCVSS 9.8≥ 6.3.2.3490, < 6.3.4v6.3.2.34902023-03-29
CVE-2022-36977 [CRITICAL] CWE-502 CVE-2022-36977: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Iv This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Certificate Management Server service. The issue results from th
nvd
CVE-2022-36976P2CRITICALCVSS 9.8≥ 6.3.2.3490, < 6.3.4v6.3.2.34902023-03-29
CVE-2022-36976 [CRITICAL] CWE-89 CVE-2022-36976: This vulnerability allows remote attackers to bypass authentication on affected installations of Iva This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the
nvd
CVE-2022-36975P2CRITICALCVSS 9.8≥ 6.3.2.3490, < 6.3.4v6.3.2.34902023-03-29
CVE-2022-36975 [CRITICAL] CWE-89 CVE-2022-36975: This vulnerability allows remote attackers to bypass authentication on affected installations of Iva This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on t
nvd
CVE-2022-36972P2CRITICALCVSS 9.8≥ 6.3.2.3490, < 6.3.4v6.3.2.34902023-03-29
CVE-2022-36972 [CRITICAL] CWE-89 CVE-2022-36972: This vulnerability allows remote attackers to bypass authentication on affected installations of Iva This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on t
nvd
CVE-2023-46220P2CRITICALCVSS 9.8fixed in 6.4.22023-12-19
CVE-2023-46220 [CRITICAL] CWE-787 CVE-2023-46220: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46259P2CRITICALCVSS 9.8fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46259 [CRITICAL] CWE-787 CVE-2023-46259: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46225P2CRITICALCVSS 9.8fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46225 [CRITICAL] CWE-787 CVE-2023-46225: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46261P2CRITICALCVSS 9.8fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46261 [CRITICAL] CWE-787 CVE-2023-46261: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46257P2CRITICALCVSS 9.8fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46257 [CRITICAL] CWE-787 CVE-2023-46257: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-38036P2CRITICALCVSS 9.8fixed in 6.4.1≥ 6.4.0, < 6.4.12025-07-12
CVE-2023-38036 [CRITICAL] CWE-120 CVE-2023-38036: A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthent A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.
nvd
CVE-2022-36971P2HIGHCVSS 8.8≥ 6.3.2.3490, < 6.3.4v6.3.2.34902023-03-29
CVE-2022-36971 [HIGH] CWE-502 CVE-2022-36971: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Iv This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the JwtTokenUtility class. The issue results from the lack of proper val
nvd
CVE-2024-47008P2HIGHCVSS 7.5fixed in 6.4.52024-10-08
CVE-2024-47008 [HIGH] CWE-918 CVE-2024-47008: Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.
nvd
CVE-2023-46260P2CRITICALCVSS 9.8fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46260 [CRITICAL] CWE-787 CVE-2023-46260: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46258P2CRITICALCVSS 9.8fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46258 [CRITICAL] CWE-787 CVE-2023-46258: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46222P2CRITICALCVSS 9.8fixed in 6.4.22023-12-19
CVE-2023-46222 [CRITICAL] CWE-787 CVE-2023-46222: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46221P2CRITICALCVSS 9.8fixed in 6.4.22023-12-19
CVE-2023-46221 [CRITICAL] CWE-787 CVE-2023-46221: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46224P2CRITICALCVSS 9.8fixed in 6.4.2≥ 6.4.1, ≤ 6.4.12023-12-19
CVE-2023-46224 [CRITICAL] CWE-787 CVE-2023-46224: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2023-46223P2CRITICALCVSS 9.8fixed in 6.4.22023-12-19
CVE-2023-46223 [CRITICAL] CWE-787 CVE-2023-46223: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corr An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
nvd
CVE-2024-38652P2CRITICALCVSS 9.1v6.3.1v6.3.1.1507+12 more2024-08-14
CVE-2024-38652 [CRITICAL] CWE-22 CVE-2024-38652: Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenti Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.
nvd
CVE-2023-28127P3HIGHCVSS 7.5≤ 6.3.4.153vAvalanche version 6.3.x and below2023-05-09
CVE-2023-28127 [HIGH] CWE-22 CVE-2023-28127: A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure.
nvd
Ivanti Avalanche vulnerabilities | cvebase