Avalanche Ivanti Avalanche

  1. Vendors
  2. Ivanti
  3. Avalanche

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Ivanti Avalanche.

By the Year

In 2025 there have been 3 vulnerabilities in Ivanti Avalanche with an average score of 9.0 out of ten. Last year, in 2024 Avalanche had 45 security vulnerabilities published. Right now, Avalanche is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 1.05.




Year Vulnerabilities Average Score
2025 3 9.03
2024 45 7.98
2023 38 8.84
2022 1 7.50
2021 10 8.93
2020 1 9.80
2019 0 0.00
2018 2 7.15

It may take a day or so for new Avalanche vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ivanti Avalanche Security Vulnerabilities

Path Traversal in Ivanti Avalanche before version 6.4.7

CVE-2024-13179 9.8 - Critical - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information

CVE-2024-13180 7.5 - High - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication

CVE-2024-13181 9.8 - Critical - January 14, 2025

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.

Directory traversal

Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability

CVE-2024-50317 7.5 - High - November 12, 2024

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability

CVE-2024-50318 7.5 - High - November 12, 2024

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

Ivanti Avalanche Out-of-Bounds Read Information Disclosure Vulnerability

CVE-2024-50331 7.5 - High - November 12, 2024

An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.

Out-of-bounds Read

Ivanti Avalanche Infinite Loop Denial of Service Vulnerability

CVE-2024-50321 7.5 - High - November 12, 2024

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Infinite Loop

Ivanti Avalanche Infinite Loop Denial of Service Vulnerability

CVE-2024-50320 7.5 - High - November 12, 2024

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Infinite Loop

Ivanti Avalanche Infinite Loop Denial of Service Vulnerability

CVE-2024-50319 7.5 - High - November 12, 2024

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Infinite Loop

Path Traversal in Ivanti Avalanche before version 6.4.5

CVE-2024-47011 7.5 - High - October 08, 2024

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.5

CVE-2024-47010 9.8 - Critical - October 08, 2024

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

Path Traversal in Ivanti Avalanche before version 6.4.5

CVE-2024-47009 9.8 - Critical - October 08, 2024

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Directory traversal

Server-side request forgery in Ivanti Avalanche before version 6.4.5

CVE-2024-47008 7.5 - High - October 08, 2024

Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.

SSRF

A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5

CVE-2024-47007 7.5 - High - October 08, 2024

A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.

NULL Pointer Dereference

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1

CVE-2024-38653 7.5 - High - August 14, 2024

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.

XXE

An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1

CVE-2024-36136 7.5 - High - August 14, 2024

An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

off-by-five

Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1

CVE-2024-37373 7.2 - High - August 14, 2024

Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.

A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1

CVE-2024-37399 7.5 - High - August 14, 2024

A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

NULL Pointer Dereference

Path traversal in the skin management component of Ivanti Avalanche 6.3.1

CVE-2024-38652 9.1 - Critical - August 14, 2024

Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.

Directory traversal

An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x

CVE-2024-29848 7.2 - High - May 31, 2024

An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can

CVE-2024-23527 7.5 - High - April 25, 2024

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3

CVE-2024-27978 6.5 - Medium - April 19, 2024

A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.

A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3

CVE-2024-29204 9.8 - Critical - April 19, 2024

A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-27984 7.1 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service.

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-27977 8.1 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service.

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can

CVE-2024-23526 7.5 - High - April 19, 2024

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can

CVE-2024-23528 7.5 - High - April 19, 2024

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can

CVE-2024-23529 7.5 - High - April 19, 2024

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3

CVE-2024-22061 9.8 - Critical - April 19, 2024

A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can

CVE-2024-23530 7.5 - High - April 19, 2024

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3

CVE-2024-23531 7.5 - High - April 19, 2024

An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to perform denial of service attacks. In certain rare conditions this could also lead to reading content from memory.

An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3

CVE-2024-23532 7.5 - High - April 19, 2024

An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution.

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can

CVE-2024-23533 6.5 - Medium - April 19, 2024

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory.

An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-23534 8.8 - High - April 19, 2024

An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-23535 8.8 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3

CVE-2024-24991 6.5 - Medium - April 19, 2024

A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-24992 8.8 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-24993 7.5 - High - April 19, 2024

A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-24994 8.8 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-24995 7.5 - High - April 19, 2024

A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3

CVE-2024-24996 9.8 - Critical - April 19, 2024

A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-24997 8.8 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-24998 8.8 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-24999 8.8 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-25000 8.8 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3

CVE-2024-27975 8.8 - High - April 19, 2024

An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3

CVE-2024-27976 8.8 - High - April 19, 2024

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153

CVE-2023-41474 6.5 - Medium - January 25, 2024

Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.

Directory traversal

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption

CVE-2023-46257 9.8 - Critical - December 19, 2023

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Memory Corruption

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption

CVE-2023-46224 9.8 - Critical - December 19, 2023

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Memory Corruption

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Ivanti Avalanche or by Ivanti? Click the Watch button to subscribe.

Ivanti
Vendor

Ivanti Avalanche
Product

subscribe