Ivanti Avalanche
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Ivanti Avalanche.
By the Year
In 2025 there have been 3 vulnerabilities in Ivanti Avalanche with an average score of 9.0 out of ten. Last year, in 2024 Avalanche had 17 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Avalanche in 2025 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2025 is greater by 1.25.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 3 | 9.03 |
2024 | 17 | 7.79 |
2023 | 36 | 8.79 |
2022 | 1 | 7.50 |
2021 | 10 | 8.93 |
2020 | 1 | 9.80 |
2019 | 0 | 0.00 |
2018 | 2 | 7.15 |
It may take a day or so for new Avalanche vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Ivanti Avalanche Security Vulnerabilities
Path Traversal in Ivanti Avalanche before version 6.4.7
CVE-2024-13179
9.8 - Critical
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information
CVE-2024-13180
7.5 - High
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication
CVE-2024-13181
9.8 - Critical
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.
Directory traversal
Ivanti Avalanche Out-of-Bounds Read Information Disclosure Vulnerability
CVE-2024-50331
7.5 - High
- November 12, 2024
An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.
Out-of-bounds Read
Ivanti Avalanche Infinite Loop Denial of Service Vulnerability
CVE-2024-50321
7.5 - High
- November 12, 2024
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
Infinite Loop
Ivanti Avalanche Infinite Loop Denial of Service Vulnerability
CVE-2024-50320
7.5 - High
- November 12, 2024
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
Infinite Loop
Ivanti Avalanche Infinite Loop Denial of Service Vulnerability
CVE-2024-50319
7.5 - High
- November 12, 2024
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
Infinite Loop
Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability
CVE-2024-50318
7.5 - High
- November 12, 2024
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability
CVE-2024-50317
7.5 - High
- November 12, 2024
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5
CVE-2024-47007
7.5 - High
- October 08, 2024
A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
Server-side request forgery in Ivanti Avalanche before version 6.4.5
CVE-2024-47008
7.5 - High
- October 08, 2024
Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.
SSRF
Path Traversal in Ivanti Avalanche before version 6.4.5
CVE-2024-47009
9.8 - Critical
- October 08, 2024
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.5
CVE-2024-47010
9.8 - Critical
- October 08, 2024
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
Path Traversal in Ivanti Avalanche before version 6.4.5
CVE-2024-47011
7.5 - High
- October 08, 2024
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information
Directory traversal
Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1
CVE-2024-37373
7.2 - High
- August 14, 2024
Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1
CVE-2024-38653
7.5 - High
- August 14, 2024
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
XXE
Path traversal in the skin management component of Ivanti Avalanche 6.3.1
CVE-2024-38652
9.1 - Critical
- August 14, 2024
Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.
Directory traversal
A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1
CVE-2024-37399
7.5 - High
- August 14, 2024
A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
NULL Pointer Dereference
An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1
CVE-2024-36136
7.5 - High
- August 14, 2024
An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
off-by-five
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153
CVE-2023-41474
6.5 - Medium
- January 25, 2024
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.
Directory traversal
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption
CVE-2023-46224
9.8 - Critical
- December 19, 2023
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Memory Corruption
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption
CVE-2023-46223
9.8 - Critical
- December 19, 2023
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
Memory Corruption
An attacker can send a specially crafted request
CVE-2021-22962
9.1 - Critical
- December 19, 2023
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.
CVE-2023-46262
7.5 - High
- December 19, 2023
An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.
SSRF
An attacker can send a specially crafted request
CVE-2023-46266
9.1 - Critical
- December 19, 2023
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
CVE-2023-46265
9.8 - Critical
- December 19, 2023
An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
XXE
Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability
CVE-2022-43554
7.8 - High
- November 03, 2023
Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability
Missing Authentication for Critical Function
Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability
CVE-2022-43555
7.8 - High
- November 03, 2023
Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability
Missing Authentication for Critical Function
Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability
CVE-2023-41725
7.8 - High
- November 03, 2023
Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability
Unrestricted File Upload
Ivanti Avalanche Incorrect Default Permissions
CVE-2023-41726
7.8 - High
- November 03, 2023
Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
Incorrect Default Permissions
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below
CVE-2023-32562
9.8 - Critical
- August 10, 2023
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.
Unrestricted File Upload
An attacker can send a specially crafted message to the Wavelink Avalanche Manager
CVE-2023-32560
9.8 - Critical
- August 10, 2023
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.
Memory Corruption
A previously generated artifact by an administrator could be accessed by an attacker
CVE-2023-32561
7.5 - High
- August 10, 2023
A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1.
An unauthenticated attacker could achieve the code execution through a RemoteControl server.
CVE-2023-32563
9.8 - Critical
- August 10, 2023
An unauthenticated attacker could achieve the code execution through a RemoteControl server.
Directory traversal
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below
CVE-2023-32564
9.8 - Critical
- August 10, 2023
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
Unrestricted File Upload
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack
CVE-2023-32565
9.1 - Critical
- August 10, 2023
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.
Ivanti Avalanche decodeToMap XML External Entity Processing
CVE-2023-32567
9.8 - Critical
- August 10, 2023
Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236
XXE
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack
CVE-2023-32566
9.1 - Critical
- August 10, 2023
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.
An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below
CVE-2023-28125
5.9 - Medium
- May 09, 2023
An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that could allow an attacker to gain access to the server by registering to receive messages from the server and perform an authentication bypass.
Race Condition
An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below
CVE-2023-28126
5.9 - Medium
- May 09, 2023
An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message.
Race Condition
A path traversal vulnerability exists in Avalanche version 6.3.x and below
CVE-2023-28127
7.5 - High
- May 09, 2023
A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure.
Directory traversal
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below
CVE-2023-28128
7.2 - High
- May 09, 2023
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.
Unrestricted File Upload
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36972
9.8 - Critical
- March 29, 2023
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15328.
SQL Injection
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36976
9.8 - Critical
- March 29, 2023
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333.
SQL Injection
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36975
9.8 - Critical
- March 29, 2023
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.
SQL Injection
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36974
9.8 - Critical
- March 29, 2023
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Web File Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15330.
Marshaling, Unmarshaling
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36973
8.8 - High
- March 29, 2023
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15329.
SQL Injection
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36971
8.8 - High
- March 29, 2023
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the JwtTokenUtility class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15301.
Marshaling, Unmarshaling
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36979
9.8 - Critical
- March 29, 2023
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSupport class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15493.
SQL Injection
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36977
9.8 - Critical
- March 29, 2023
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Certificate Management Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15449.
Marshaling, Unmarshaling
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche
CVE-2022-36983
9.8 - Critical
- March 29, 2023
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.
Missing Authentication for Critical Function
This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101
CVE-2022-36982
7.5 - High
- March 29, 2023
This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AgentTaskHandler class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored session cookies, leading to further compromise. Was ZDI-CAN-15967.
Directory traversal
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101
CVE-2022-36981
9.8 - Critical
- March 29, 2023
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DeviceLogResource class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15966.
Directory traversal
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36980
8.1 - High
- March 29, 2023
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the EnterpriseServer service. The issue results from the lack of proper locking when performing operations during authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15528.
TOCTTOU
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490
CVE-2022-36978
9.8 - Critical
- March 29, 2023
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Notification Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15448.
Marshaling, Unmarshaling
An improper authentication vulnerability exists in Avalanche version 6.3.x and below
CVE-2022-44574
7.5 - High
- March 10, 2023
An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port.
authentification
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal
CVE-2021-30497
7.5 - High
- April 06, 2022
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.
Directory traversal
An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3
CVE-2021-42125
8.8 - High
- December 07, 2021
An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.
Unrestricted File Upload
An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3
CVE-2021-42126
8.8 - High
- December 07, 2021
An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3
CVE-2021-42124
8.8 - High
- December 07, 2021
An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.
A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3
CVE-2021-42132
8.8 - High
- December 07, 2021
A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
Command Injection
A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3
CVE-2021-42131
8.8 - High
- December 07, 2021
A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
SQL Injection
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3
CVE-2021-42130
8.8 - High
- December 07, 2021
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.
Marshaling, Unmarshaling
A command injection vulnerability exists in Ivanti Avalanche before 6.3.3
CVE-2021-42129
8.8 - High
- December 07, 2021
A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
Command Injection
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service
CVE-2021-42128
9.8 - Critical
- December 07, 2021
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service
CVE-2021-42127
9.8 - Critical
- December 07, 2021
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
Marshaling, Unmarshaling
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3
CVE-2021-42133
8.1 - High
- December 07, 2021
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.
Inclusion of Functionality from Untrusted Control Sphere
Ivanti Avalanche 6.3 allows a SQL injection
CVE-2020-12442
9.8 - Critical
- April 28, 2020
Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250.
SQL Injection
An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2
CVE-2018-8902
6.5 - Medium
- June 29, 2018
An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key encryption model to encrypt data. A user with access to system databases can use the discovered key to access potentially confidential stored data, which may include Wi-Fi passwords. This discovered key can be used for all instances of the product.
authentification
An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2
CVE-2018-8901
7.8 - High
- June 29, 2018
An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can read the encrypted passwords for users who authenticate via LDAP to Avalanche services. These passwords are stored in the Avalanche databases. This issue only affects customers who have enabled LDAP authentication in their configuration.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Ivanti Avalanche or by Ivanti? Click the Watch button to subscribe.