CVE-2024-36136
Published: 14 August 2024
Summary
CVE-2024-36136 is a high-severity Off-by-one Error (CWE-193) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-36136 is an off-by-one error in the WLInfoRailService component of Ivanti Avalanche version 6.3.1. The flaw produces a denial-of-service condition when triggered, reflected in its CVSS 3.1 base score of 7.5 with network attack vector, no authentication or user interaction required, and high availability impact.
A remote unauthenticated attacker can send a crafted request to the affected service over the network, causing it to crash and interrupting availability for legitimate users or dependent management functions. No confidentiality or integrity loss occurs.
The referenced Ivanti security advisory addresses this issue alongside several other CVEs and directs customers to upgrade to a fixed release, specifically Avalanche 6.4.4 or later, as the primary mitigation.
EPSS for the vulnerability rose from a low baseline to a recorded peak of 0.0801 before settling at the current value of 0.0628, indicating measurable post-disclosure exploitation interest that warrants renewed monitoring.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-35894
Vulnerability details
An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.