CRITICAL🇵🇱 Wersja polska

CVE-2024-22061

CVSS 9.8v3.1pub. 2024-04-19upd. 2025-05-06

A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

🤖 AI Analysis
How it works

The vulnerability is a heap overflow in the WLInfoRailService component, which is part of the Ivanti Avalanche platform. An attacker can send a specially crafted network request without needing any credentials. The heap overflow leads to the possibility of executing arbitrary commands (command injection / RCE) in the context of the vulnerable service.

Impact

An attacker can remotely execute arbitrary system commands on a vulnerable server without authentication, which in practice means complete system takeover, data breach, and the ability to perform lateral movement within the network.

Mitigation & patch

Ivanti Avalanche should be updated to version 6.4.3 or later. Detailed information about the patch is available in the vendor's official security notice: https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed

Who is affected

Ivanti Avalanche versions prior to 6.4.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ivanti Avalanche

    APP
    Ivanti
    < 6.4.3.528
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassMemory
CWE
References

Related vulnerabilities

CVE-2023-38036CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w Ivanti Avalanche Manager umożliwiający RCE bez uwierzytelnienia

CVE-2024-38652CRITICAL9.1PL ✓ten sam produkt

Path Traversal w Ivanti Avalanche — nieuprawnione usuwanie plików i DoS

CVE-2024-24996CRITICAL9.8PL ✓ten sam produkt

Heap overflow w Ivanti Avalanche umożliwia zdalne wykonanie kodu

CVE-2024-29204CRITICAL9.8PL ✓ten sam produkt

Heap Overflow w Ivanti Avalanche umożliwia zdalne wykonanie kodu

CVE-2023-46216CRITICAL9.8PL ✓ten sam produkt

Ivanti Avalanche — RCE/DoS przez korupcję pamięci w Mobile Device Server