Ivanti Avalanche vulnerabilities
117 known vulnerabilities affecting ivanti/avalanche.
Total CVEs
117
CISA KEV
0
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL47HIGH63MEDIUM7
Vulnerabilities
Page 6 of 6
CVE-2024-50331P3HIGHCVSS 7.5fixed in 6.4.62024-11-12
CVE-2024-50331 [HIGH] CWE-125 CVE-2024-50331: An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated
An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.
nvd
CVE-2023-41725P3HIGHCVSS 7.8fixed in 6.4.1.236≥ 6.4.1.236, < 6.4.1.2362023-11-03
CVE-2023-41725 [HIGH] CWE-434 CVE-2023-41725: Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulner
Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability
nvd
CVE-2022-43555P3HIGHCVSS 7.8fixed in 6.4.1.236≥ 6.4.1.236, < 6.4.1.2362023-11-03
CVE-2022-43555 [HIGH] CWE-306 CVE-2022-43555: Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerabil
Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability
nvd
CVE-2023-28125P3MEDIUMCVSS 5.9≤ 6.3.4.153vAvalanche Premise versions 6.3.x and below2023-05-09
CVE-2023-28125 [MEDIUM] CWE-287 CVE-2023-28125: An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that c
An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that could allow an attacker to gain access to the server by registering to receive messages from the server and perform an authentication bypass.
nvd
CVE-2022-43554P3HIGHCVSS 7.8fixed in 6.4.1.2362023-11-03
CVE-2022-43554 [HIGH] CWE-306 CVE-2022-43554: Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerabilit
Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability
nvd
CVE-2024-50321P3HIGHCVSS 7.5fixed in 6.4.62024-11-12
CVE-2024-50321 [HIGH] CWE-835 CVE-2024-50321: An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-50319P3HIGHCVSS 7.5fixed in 6.4.62024-11-12
CVE-2024-50319 [HIGH] CWE-835 CVE-2024-50319: An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2023-41726P3HIGHCVSS 7.8fixed in 6.4.1.236≥ 6.4.1.236, < 6.4.1.2362023-11-03
CVE-2023-41726 [HIGH] CWE-276 CVE-2023-41726: Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
nvd
CVE-2018-8901P3HIGHCVSS 7.8≥ 5.3, ≤ 6.22018-06-29
CVE-2018-8901 [HIGH] CVE-2018-8901: An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with
An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can read the encrypted passwords for users who authenticate via LDAP to Avalanche services. These passwords are stored in the Avalanche databases. This issue only affects customers who have enabled LDAP authentication in their configurat
nvd
CVE-2024-47007P3HIGHCVSS 7.5fixed in 6.4.52024-10-08
CVE-2024-47007 [HIGH] CWE-476 CVE-2024-47007: A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows
A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-50317P3HIGHCVSS 7.5fixed in 6.4.62024-11-12
CVE-2024-50317 [HIGH] CWE-476 CVE-2024-50317: A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-50318P3HIGHCVSS 7.5fixed in 6.4.62024-11-12
CVE-2024-50318 [HIGH] CWE-476 CVE-2024-50318: A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-27984P3HIGHCVSS 7.1fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-27984 [HIGH] CWE-22 CVE-2024-27984: A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote aut
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service.
nvd
CVE-2018-8902P3MEDIUMCVSS 6.5≥ 5.3, ≤ 6.22018-06-29
CVE-2018-8902 [MEDIUM] CWE-287 CVE-2018-8902: An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted produ
An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key encryption model to encrypt data. A user with access to system databases can use the discovered key to access potentially confidential stored data, which may include Wi-Fi passwords. This discovered key can be used for all i
nvd
CVE-2024-23533P3MEDIUMCVSS 6.5fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-23533 [MEDIUM] CWE-125 CVE-2024-23533: An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory.
nvd
CVE-2024-27978P4MEDIUMCVSS 6.5fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-27978 [MEDIUM] CWE-476 CVE-2024-27978: A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before
A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.
nvd
CVE-2024-24991P3MEDIUMCVSS 6.5fixed in 6.4.3.528≥ 6.4.3, < 6.4.32024-04-19
CVE-2024-24991 [MEDIUM] CWE-476 CVE-2024-24991: A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before
A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.
nvd
← Previous6 / 6