Avalanche
by Ivanti
CVEs (113)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-32560 | Cri | 0.75 | 9.8 | 0.99 | Aug 10, 2023 | An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1. | ||
| CVE-2023-46264 | Cri | 0.71 | 9.8 | 0.90 | Dec 19, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution. | ||
| CVE-2023-32563 | Cri | 0.71 | 9.8 | 0.90 | Aug 10, 2023 | An unauthenticated attacker could achieve the code execution through a RemoteControl server. | ||
| CVE-2023-46263 | Cri | 0.70 | 9.8 | 0.82 | Dec 19, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution. | ||
| CVE-2022-36981 | Cri | 0.70 | 9.8 | 0.83 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within… | ||
| CVE-2022-36974 | Cri | 0.70 | 9.8 | 0.84 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists… | ||
| CVE-2021-42127 | Cri | 0.69 | 9.8 | 0.66 | Dec 7, 2021 | A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service. | ||
| CVE-2023-32564 | Cri | 0.67 | 9.8 | 0.37 | Aug 10, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution. | ||
| CVE-2023-32562 | Cri | 0.67 | 9.8 | 0.38 | Aug 10, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1. | ||
| CVE-2024-24996 | Cri | 0.66 | 9.8 | 0.32 | Apr 19, 2024 | A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. | ||
| CVE-2021-22962 | Cri | 0.66 | 9.1 | 0.91 | Dec 19, 2023 | An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. | ||
| CVE-2023-46261 | Cri | 0.65 | 9.8 | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-46259 | Cri | 0.65 | 9.8 | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-46257 | Cri | 0.65 | 9.8 | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-46225 | Cri | 0.65 | 9.8 | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-46220 | Cri | 0.65 | 9.8 | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-38036 | Cri | 0.64 | 9.8 | 0.02 | Jul 12, 2025 | A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution. | ||
| CVE-2024-29204 | Cri | 0.64 | 9.8 | 0.04 | Apr 19, 2024 | A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | ||
| CVE-2024-22061 | Cri | 0.64 | 9.8 | 0.04 | Apr 19, 2024 | A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | ||
| CVE-2023-46265 | Cri | 0.64 | 9.8 | 0.04 | Dec 19, 2023 | An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). |
- risk 0.75cvss 9.8epss 0.99
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.
- risk 0.71cvss 9.8epss 0.90
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
- risk 0.71cvss 9.8epss 0.90
An unauthenticated attacker could achieve the code execution through a RemoteControl server.
- risk 0.70cvss 9.8epss 0.82
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.
- risk 0.70cvss 9.8epss 0.83
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…
- risk 0.70cvss 9.8epss 0.84
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…
- risk 0.69cvss 9.8epss 0.66
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
- risk 0.67cvss 9.8epss 0.37
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
- risk 0.67cvss 9.8epss 0.38
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.
- risk 0.66cvss 9.8epss 0.32
A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.
- risk 0.66cvss 9.1epss 0.91
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
- risk 0.65cvss 9.8epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.65cvss 9.8epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.65cvss 9.8epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.65cvss 9.8epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.65cvss 9.8epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.64cvss 9.8epss 0.02
A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.
- risk 0.64cvss 9.8epss 0.04
A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
- risk 0.64cvss 9.8epss 0.04
A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
- risk 0.64cvss 9.8epss 0.04
An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
Page 1 of 6