CVE-2023-41474
Published: 25 January 2024
Summary
CVE-2023-41474 is a medium-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-41474 is a directory traversal vulnerability, tracked as CWE-22, that affects Ivanti Avalanche version 6.3.4.153. It resides in the javax.faces.resource component and carries a CVSS 3.1 base score of 6.5, reflecting network attack vector, low attack complexity, and required low-privileged authentication.
A remote authenticated attacker can supply crafted requests to the affected component and retrieve arbitrary files from the underlying file system, resulting in disclosure of sensitive information while leaving integrity and availability untouched.
Public references consist of a GitHub repository that documents the issue; no vendor advisory or patch information is included in the supplied references. The associated EPSS score stands at 0.7487 with an identical recorded peak, indicating sustained but not newly emergent exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45974
Vulnerability details
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.