Cyber Resilience

CVE-2024-50331

High

Published: 12 November 2024

Published
12 November 2024
Modified
18 December 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0550 90.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50331 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An out-of-bounds read vulnerability tracked as CVE-2024-50331 affects Ivanti Avalanche versions prior to 6.4.6. The flaw, assigned CWE-125 and carrying a CVSS 3.1 base score of 7.5, permits a remote attacker to read sensitive data from process memory without authentication or user interaction.

A remote unauthenticated attacker can send crafted network requests to an unpatched Avalanche instance and retrieve arbitrary memory contents, resulting in disclosure of sensitive information while leaving integrity and availability unaffected.

The vendor advisory for the Q4 2024 Ivanti Avalanche release set recommends upgrading to version 6.4.6 or later to address this and related issues. The associated EPSS score reached a peak of 0.0861 after disclosure before settling at 0.0550, indicating a modest post-publication increase in observed exploitation interest.

EU & UK References

Vulnerability details

An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
avalanche
≤ 6.4.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References