CVE-2024-29204
Published: 19 April 2024
Summary
CVE-2024-29204 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Ivanti Avalanche. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-29204 is a heap overflow vulnerability, tracked as CWE-122, in the WLAvalancheService component of Ivanti Avalanche versions prior to 6.4.3. The flaw received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.
A remote unauthenticated attacker can send specially crafted input to the affected service and trigger the overflow, resulting in arbitrary command execution on the target system. Because the service is reachable over the network and requires no credentials, the issue is exploitable by any party with network connectivity to an unpatched Avalanche deployment.
Ivanti’s advisory for Avalanche 6.4.3 states that the release incorporates fixes for this CVE together with additional security hardening changes; administrators are advised to upgrade to 6.4.3 or later. The EPSS score has remained steady at 0.1221 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26221
Vulnerability details
A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.