Avalanche Ivanti Avalanche

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Ivanti Avalanche.

By the Year

In 2025 there have been 3 vulnerabilities in Ivanti Avalanche with an average score of 9.0 out of ten. Last year, in 2024 Avalanche had 17 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Avalanche in 2025 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2025 is greater by 1.25.




Year Vulnerabilities Average Score
2025 3 9.03
2024 17 7.79
2023 36 8.79
2022 1 7.50
2021 10 8.93
2020 1 9.80
2019 0 0.00
2018 2 7.15

It may take a day or so for new Avalanche vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ivanti Avalanche Security Vulnerabilities

Path Traversal in Ivanti Avalanche before version 6.4.7

CVE-2024-13179 9.8 - Critical - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information

CVE-2024-13180 7.5 - High - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication

CVE-2024-13181 9.8 - Critical - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.

Directory traversal

Ivanti Avalanche Out-of-Bounds Read Information Disclosure Vulnerability

CVE-2024-50331 7.5 - High - November 12, 2024

An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.

Out-of-bounds Read

Ivanti Avalanche Infinite Loop Denial of Service Vulnerability

CVE-2024-50321 7.5 - High - November 12, 2024

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Infinite Loop

Ivanti Avalanche Infinite Loop Denial of Service Vulnerability

CVE-2024-50320 7.5 - High - November 12, 2024

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Infinite Loop

Ivanti Avalanche Infinite Loop Denial of Service Vulnerability

CVE-2024-50319 7.5 - High - November 12, 2024

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Infinite Loop

Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability

CVE-2024-50318 7.5 - High - November 12, 2024

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability

CVE-2024-50317 7.5 - High - November 12, 2024

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5

CVE-2024-47007 7.5 - High - October 08, 2024

A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

Server-side request forgery in Ivanti Avalanche before version 6.4.5

CVE-2024-47008 7.5 - High - October 08, 2024

Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.

SSRF

Path Traversal in Ivanti Avalanche before version 6.4.5

CVE-2024-47009 9.8 - Critical - October 08, 2024

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.5

CVE-2024-47010 9.8 - Critical - October 08, 2024

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.5

CVE-2024-47011 7.5 - High - October 08, 2024

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information

Directory traversal

Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1

CVE-2024-37373 7.2 - High - August 14, 2024

Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1

CVE-2024-38653 7.5 - High - August 14, 2024

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.

XXE

Path traversal in the skin management component of Ivanti Avalanche 6.3.1

CVE-2024-38652 9.1 - Critical - August 14, 2024

Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.

Directory traversal

A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1

CVE-2024-37399 7.5 - High - August 14, 2024

A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

NULL Pointer Dereference

An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1

CVE-2024-36136 7.5 - High - August 14, 2024

An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

off-by-five

Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153

CVE-2023-41474 6.5 - Medium - January 25, 2024

Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.

Directory traversal

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption

CVE-2023-46224 9.8 - Critical - December 19, 2023

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Memory Corruption

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption

CVE-2023-46223 9.8 - Critical - December 19, 2023

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Memory Corruption

An attacker can send a specially crafted request

CVE-2021-22962 9.1 - Critical - December 19, 2023

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.

CVE-2023-46262 7.5 - High - December 19, 2023

An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.

SSRF

An attacker can send a specially crafted request

CVE-2023-46266 9.1 - Critical - December 19, 2023

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

CVE-2023-46265 9.8 - Critical - December 19, 2023

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

XXE

Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability

CVE-2022-43554 7.8 - High - November 03, 2023

Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability

Missing Authentication for Critical Function

Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability

CVE-2022-43555 7.8 - High - November 03, 2023

Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability

Missing Authentication for Critical Function

Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability

CVE-2023-41725 7.8 - High - November 03, 2023

Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability

Unrestricted File Upload

Ivanti Avalanche Incorrect Default Permissions

CVE-2023-41726 7.8 - High - November 03, 2023

Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability

Incorrect Default Permissions

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below

CVE-2023-32562 9.8 - Critical - August 10, 2023

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.

Unrestricted File Upload

An attacker can send a specially crafted message to the Wavelink Avalanche Manager

CVE-2023-32560 9.8 - Critical - August 10, 2023

An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.

Memory Corruption

A previously generated artifact by an administrator could be accessed by an attacker

CVE-2023-32561 7.5 - High - August 10, 2023

A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1.

An unauthenticated attacker could achieve the code execution through a RemoteControl server.

CVE-2023-32563 9.8 - Critical - August 10, 2023

An unauthenticated attacker could achieve the code execution through a RemoteControl server.

Directory traversal

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below

CVE-2023-32564 9.8 - Critical - August 10, 2023

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

Unrestricted File Upload

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack

CVE-2023-32565 9.1 - Critical - August 10, 2023

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.

Ivanti Avalanche decodeToMap XML External Entity Processing

CVE-2023-32567 9.8 - Critical - August 10, 2023

Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236

XXE

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack

CVE-2023-32566 9.1 - Critical - August 10, 2023

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.

An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below

CVE-2023-28125 5.9 - Medium - May 09, 2023

An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that could allow an attacker to gain access to the server by registering to receive messages from the server and perform an authentication bypass.

Race Condition

An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below

CVE-2023-28126 5.9 - Medium - May 09, 2023

An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message.

Race Condition

A path traversal vulnerability exists in Avalanche version 6.3.x and below

CVE-2023-28127 7.5 - High - May 09, 2023

A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure.

Directory traversal

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below

CVE-2023-28128 7.2 - High - May 09, 2023

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.

Unrestricted File Upload

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36972 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15328.

SQL Injection

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36976 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333.

SQL Injection

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36975 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.

SQL Injection

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36974 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Web File Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15330.

Marshaling, Unmarshaling

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36973 8.8 - High - March 29, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15329.

SQL Injection

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36971 8.8 - High - March 29, 2023

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the JwtTokenUtility class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15301.

Marshaling, Unmarshaling

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36979 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSupport class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15493.

SQL Injection

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36977 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Certificate Management Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15449.

Marshaling, Unmarshaling

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche

CVE-2022-36983 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.

Missing Authentication for Critical Function

This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101

CVE-2022-36982 7.5 - High - March 29, 2023

This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AgentTaskHandler class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored session cookies, leading to further compromise. Was ZDI-CAN-15967.

Directory traversal

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101

CVE-2022-36981 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DeviceLogResource class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15966.

Directory traversal

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36980 8.1 - High - March 29, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the EnterpriseServer service. The issue results from the lack of proper locking when performing operations during authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15528.

TOCTTOU

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490

CVE-2022-36978 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Notification Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15448.

Marshaling, Unmarshaling

An improper authentication vulnerability exists in Avalanche version 6.3.x and below

CVE-2022-44574 7.5 - High - March 10, 2023

An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port.

authentification

Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal

CVE-2021-30497 7.5 - High - April 06, 2022

Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.

Directory traversal

An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3

CVE-2021-42125 8.8 - High - December 07, 2021

An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.

Unrestricted File Upload

An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3

CVE-2021-42126 8.8 - High - December 07, 2021

An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.

An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3

CVE-2021-42124 8.8 - High - December 07, 2021

An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.

A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3

CVE-2021-42132 8.8 - High - December 07, 2021

A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.

Command Injection

A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3

CVE-2021-42131 8.8 - High - December 07, 2021

A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.

SQL Injection

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3

CVE-2021-42130 8.8 - High - December 07, 2021

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.

Marshaling, Unmarshaling

A command injection vulnerability exists in Ivanti Avalanche before 6.3.3

CVE-2021-42129 8.8 - High - December 07, 2021

A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.

Command Injection

An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service

CVE-2021-42128 9.8 - Critical - December 07, 2021

An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service

CVE-2021-42127 9.8 - Critical - December 07, 2021

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.

Marshaling, Unmarshaling

An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3

CVE-2021-42133 8.1 - High - December 07, 2021

An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.

Inclusion of Functionality from Untrusted Control Sphere

Ivanti Avalanche 6.3 allows a SQL injection

CVE-2020-12442 9.8 - Critical - April 28, 2020

Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250.

SQL Injection

An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2

CVE-2018-8902 6.5 - Medium - June 29, 2018

An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key encryption model to encrypt data. A user with access to system databases can use the discovered key to access potentially confidential stored data, which may include Wi-Fi passwords. This discovered key can be used for all instances of the product.

authentification

An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2

CVE-2018-8901 7.8 - High - June 29, 2018

An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can read the encrypted passwords for users who authenticate via LDAP to Avalanche services. These passwords are stored in the Avalanche databases. This issue only affects customers who have enabled LDAP authentication in their configuration.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Ivanti Avalanche or by Ivanti? Click the Watch button to subscribe.

Ivanti
Vendor

subscribe