CVE-2023-28127
Published: 09 May 2023
Summary
CVE-2023-28127 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A path traversal vulnerability tracked as CVE-2023-28127 affects Ivanti Avalanche versions 6.3.x and earlier. The flaw, assigned CWE-22, permits unauthorized access to files outside intended directories and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required credentials or user interaction, resulting in high confidentiality impact with no integrity or availability effects.
Unauthenticated remote attackers can send specially crafted requests to the getLogFile endpoint to traverse directories and retrieve sensitive files, achieving information disclosure without any prior authentication or user assistance.
The referenced Ivanti support article ZDI-CAN-17769 describes the directory traversal behavior in Avalanche but supplies no explicit mitigation steps within the provided source material.
EPSS for the CVE rose from a low baseline to a peak of 0.3114 on 2026-02-03 before receding to the current value of 0.0599, indicating a period of increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-31838
Vulnerability details
A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.