Heap Overflow Vulnerability in Ivanti Avalanche Before 6.4.3

CVE-2024-29204
9.8CRITICAL

Key Information

Vendor
Ivanti
Status
Avalanche
Vendor
CVE Published:
19 April 2024

Badges

đź‘ľ Exploit Existsđź“° News Worthy

Summary

The first article discusses a critical heap overflow vulnerability in Ivanti Avalanche before version 6.4.3, which allows a remote unauthenticated attacker to execute arbitrary commands on the underlying Windows system. The vulnerability is not known to have been exploited prior to public disclosure, but Ivanti has released patches for 27 vulnerabilities, including this critical one, in the newest version of Avalanche. The vulnerabilities can be triggered without user interaction and do not require any pre-conditions for successful exploitation. This is a concerning issue for Ivanti, as it follows a series of vulnerabilities in its enterprise solutions being exploited by attackers. The company has announced efforts to improve product security, support for customers, and information sharing with the community.

Affected Version(s)

Avalanche < 6.4.3

News Articles

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • đź‘ľ

    Exploit exists.

  • First article discovered by Help Net Security

  • Risk change from: null to: 9.8 - (CRITICAL)

  • Vulnerability published.

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre Database3 News Article(s)
.