CVE-2024-50331
Published: 12 November 2024
Summary
CVE-2024-50331 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An out-of-bounds read vulnerability tracked as CVE-2024-50331 affects Ivanti Avalanche versions prior to 6.4.6. The flaw, assigned CWE-125 and carrying a CVSS 3.1 base score of 7.5, permits a remote attacker to read sensitive data from process memory without authentication or user interaction.
A remote unauthenticated attacker can send crafted network requests to an unpatched Avalanche instance and retrieve arbitrary memory contents, resulting in disclosure of sensitive information while leaving integrity and availability unaffected.
The vendor advisory for the Q4 2024 Ivanti Avalanche release set recommends upgrading to version 6.4.6 or later to address this and related issues. The associated EPSS score reached a peak of 0.0861 after disclosure before settling at 0.0550, indicating a modest post-publication increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44826
Vulnerability details
An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.