Attacker Value
Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
2

CVE-2023-41474

Disclosure Date: January 25, 2024
CVE-2023-41474 CVSS v3 Base Score: 6.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.

Add Assessment

3
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
UnauthenticatedVulnerable in default configurationNo useful access
Technical Analysis

This is a path traversal vulnerability in Ivanti Avalanche version 6.3.4.153. It is not clear if prior versions are also vulnerable. An unauthenticated attacker can leverage it to access any files under C:\PROGRAM DATA\Wavelink\AVALANCHE\Web webapps\AvalancheWeb\ directory, by requesting the following URL:

http(s)://<domain>/AvalancheWeb//faces/javax.faces.resource/<file>?loc=<directory>

For example, to access the web.xml configuration file, this request can be sent:

http(s)://<domain>/AvalancheWeb//faces/javax.faces.resource/web.xml?loc=../WEB-INF

However, the file extensions allowed to be accessed this way are quite limited. The advisory says only .xml, .html and potentially a few others, depending on the .htaccess rules. That being said, this is still an information disclosure issue that could reveal internal settings and be used by other potential attacks (e.g. the deployment descriptor file web.xml).

The advisory also describes a scenario where one could use a debug feature that performs a memory dump of the Avalanche process for debugging purposes. The memory dump file is stored under a path accessible by this path traversal and could reveal sensitive information the process had in memory when the dump was requested, such as credentials of users that had logged into the application. Note that this feature is only available to users with administrative privileges, which means the attacker needs to be authenticated with these privileges or an administrator has already performed a memory dump and left the file around.

So, it is important to patch this as soon as possible, but I don’t think this is critical.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • ivanti

Products

  • avalanche 6.3.4.153

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis