Home/Product/ivanti avalanche
Product

ivanti avalanche

118 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-8297
< 6.4.8.8008
Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker wit
7.2HIGH
 CVE-2025-8296
< 6.4.8.8008
SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execut
7.2HIGH
 CVE-2023-38036
< 6.4.1
A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a bu
9.8CRITICAL
 CVE-2024-13181
< 6.4.6
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CV
7.3HIGH
 CVE-2024-13180
< 6.4.7
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. Th
7.5HIGH
 CVE-2024-13179
< 6.4.7
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
7.3HIGH
 CVE-2024-50331
< 6.4.6
An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive in
7.5HIGH
 CVE-2024-50321
< 6.4.6
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
7.5HIGH
 CVE-2024-50320
< 6.4.6
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
7.5HIGH
 CVE-2024-50319
< 6.4.6
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
7.5HIGH
 CVE-2024-50318
< 6.4.6
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
7.5HIGH
 CVE-2024-50317
< 6.4.6
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
7.5HIGH
 CVE-2024-47011
< 6.4.5
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information
7.5HIGH
 CVE-2024-47010
< 6.4.5
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
7.3HIGH
 CVE-2024-47009
< 6.4.5
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
7.3HIGH
 CVE-2024-47008
< 6.4.5
Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive in
7.5HIGH
 CVE-2024-47007
< 6.4.5
A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated atta
7.5HIGH
 CVE-2024-38653
all versions
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
7.5HIGH
 CVE-2024-38652
all versions
Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve deni
9.1CRITICAL
 CVE-2024-37399
all versions
A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the s
7.5HIGH
 CVE-2024-37373
all versions
Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rig
7.2HIGH
 CVE-2024-36136
all versions
An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service,
7.5HIGH
 CVE-2024-29848
< 6.4.3.602
An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged us
7.2HIGH
 CVE-2024-23527
< 6.4.3.528
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can al
7.5HIGH
 CVE-2024-29204
< 6.4.3.528
A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated att
9.8CRITICAL
 CVE-2024-27984
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete
7.1HIGH
 CVE-2024-27978
< 6.4.3.528
A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated
6.5MEDIUM
 CVE-2024-27977
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete
8.1HIGH
 CVE-2024-27976
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute
8.8HIGH
 CVE-2024-27975
< 6.4.3.528
An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated att
8.8HIGH
 CVE-2024-25000
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute
8.8HIGH
 CVE-2024-24999
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute
8.8HIGH
 CVE-2024-24998
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute
8.8HIGH
 CVE-2024-24997
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute
8.8HIGH
 CVE-2024-24996
< 6.4.3.528
A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote att
9.8CRITICAL
 CVE-2024-24995
< 6.4.3.528
A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker t
7.5HIGH
 CVE-2024-24994
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute
8.8HIGH
 CVE-2024-24993
< 6.4.3.528
A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker t
7.5HIGH
 CVE-2024-24992
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute
8.8HIGH
 CVE-2024-24991
< 6.4.3.528
A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated
6.5MEDIUM
 CVE-2024-23535
< 6.4.3.528
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute
8.8HIGH
 CVE-2024-23534
< 6.4.3.528
An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker
8.8HIGH
 CVE-2024-23533
< 6.4.3.528
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can al
6.5MEDIUM
 CVE-2024-23532
< 6.4.3.528
An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remot
7.5HIGH
 CVE-2024-23531
< 6.4.3.528
An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote
7.5HIGH
 CVE-2024-23530
< 6.4.3.528
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can al
7.5HIGH
 CVE-2024-23529
< 6.4.3.528
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can al
7.5HIGH
 CVE-2024-23528
< 6.4.3.528
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can al
7.5HIGH
 CVE-2024-23526
< 6.4.3.528
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can al
7.5HIGH
 CVE-2024-22061
< 6.4.3.528
A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated atta
9.8CRITICAL
 CVE-2023-41474
all versions
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive informa
6.5MEDIUM
 CVE-2023-46804
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
7.5HIGH
 CVE-2023-46803
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
7.5HIGH
 CVE-2023-46266
<= 6.4.1
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS
9.1CRITICAL
 CVE-2023-46265
<= 6.4.1
An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forger
9.8CRITICAL
 CVE-2023-46264
< 6.4.2
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an
9.8CRITICAL
 CVE-2023-46263
< 6.4.2
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an
9.8CRITICAL
 CVE-2023-46262
<= 6.4.1
An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti A
7.5HIGH
 CVE-2023-46261
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46260
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46259
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46258
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46257
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46225
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46224
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46223
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46222
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46221
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46220
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46217
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-46216
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2023-41727
< 6.4.2
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a
9.8CRITICAL
 CVE-2021-22962
< 6.4.2
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS
9.1CRITICAL
 CVE-2023-41726
< 6.4.1.236
Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
7.8HIGH
 CVE-2023-41725
< 6.4.1.236
Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability
7.8HIGH
 CVE-2022-43555
< 6.4.1.236
Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability
7.8HIGH
 CVE-2022-43554
< 6.4.1.236
Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability
7.8HIGH
 CVE-2023-32565
< 6.4.1
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS
9.1CRITICAL
 CVE-2023-32564
< 6.4.1
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an
9.8CRITICAL
 CVE-2023-32563
< 6.4.1
An unauthenticated attacker could achieve the code execution through a RemoteControl server.
9.8CRITICAL
 CVE-2023-32562
< 6.4.1
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an
9.8CRITICAL
 CVE-2023-32561
< 6.4.1
A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to
7.5HIGH
 CVE-2023-32560
< 6.4.1
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or ar
9.8CRITICAL
 CVE-2023-32567
< 6.4.1
Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236
9.8CRITICAL
 CVE-2023-32566
< 6.4.1
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS
9.1CRITICAL
 CVE-2023-28128
<= 6.3.4.153
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an
7.2HIGH
 CVE-2023-28127
<= 6.3.4.153
A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible informatio
7.5HIGH
 CVE-2023-28126
<= 6.3.4.153
An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by
5.9MEDIUM
 CVE-2023-28125
<= 6.3.4.153
An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that could allow an attacker to gain
5.9MEDIUM
 CVE-2022-36983
>= 6.3.3.101 and < 6.3.4
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication
9.8CRITICAL
 CVE-2022-36982
>= 6.3.3.101 and < 6.3.4
This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101. Althou
7.5HIGH
 CVE-2022-36981
>= 6.3.3.101 and < 6.3.4
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Alth
9.8CRITICAL
 CVE-2022-36980
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Alth
8.1HIGH
 CVE-2022-36979
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Alth
9.8CRITICAL
 CVE-2022-36978
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Alt
9.8CRITICAL
 CVE-2022-36977
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Alt
9.8CRITICAL
 CVE-2022-36976
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The
9.8CRITICAL
 CVE-2022-36975
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The
9.8CRITICAL
 CVE-2022-36974
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Alt
9.8CRITICAL
 CVE-2022-36973
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Alth
8.8HIGH
 CVE-2022-36972
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The
9.8CRITICAL
 CVE-2022-36971
>= 6.3.2.3490 and < 6.3.4
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Alt
8.8HIGH
 CVE-2022-44574
< 6.4.0
An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify pro
7.5HIGH
 CVE-2021-30497
all versions
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imag
7.5HIGH
 CVE-2021-42133
< 6.3.3
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail
8.1HIGH
 CVE-2021-42132
< 6.3.3
A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service t
8.8HIGH
 CVE-2021-42131
< 6.3.3
A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to per
8.8HIGH
 CVE-2021-42130
< 6.3.3
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the In
8.8HIGH
 CVE-2021-42129
< 6.3.3
A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service t
8.8HIGH
 CVE-2021-42128
< 6.3.3
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escala
9.8CRITICAL
 CVE-2021-42127
< 6.3.3
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary
9.8CRITICAL
 CVE-2021-42126
< 6.3.3
An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Info
8.8HIGH
 CVE-2021-42125
< 6.3.3
An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail S
8.8HIGH
 CVE-2021-42124
< 6.3.3
An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Se
8.8HIGH
 CVE-2020-11733
<= 5.08
An issue was discovered on Spirent TestCenter and Avalanche appliance admin interface firmware. An attacker, who already has acces
6.7MEDIUM
 CVE-2020-12442
all versions
Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250.
9.8CRITICAL
 CVE-2018-8902
>= 5.3 and <= 6.2
An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key e
6.5MEDIUM
 CVE-2018-8901
>= 5.3 and <= 6.2
An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can
7.8HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin