Cyber Resilience

CVE-2023-41474

MediumPublic PoC

Published: 25 January 2024

Published
25 January 2024
Modified
12 June 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7487 98.9th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41474 is a medium-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-41474 is a directory traversal vulnerability, tracked as CWE-22, that affects Ivanti Avalanche version 6.3.4.153. It resides in the javax.faces.resource component and carries a CVSS 3.1 base score of 6.5, reflecting network attack vector, low attack complexity, and required low-privileged authentication.

A remote authenticated attacker can supply crafted requests to the affected component and retrieve arbitrary files from the underlying file system, resulting in disclosure of sensitive information while leaving integrity and availability untouched.

Public references consist of a GitHub repository that documents the issue; no vendor advisory or patch information is included in the supplied references. The associated EPSS score stands at 0.7487 with an identical recorded peak, indicating sustained but not newly emergent exploitation interest.

EU & UK References

Vulnerability details

Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
avalanche
6.3.4.153

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References