- 331/2023
- Critical
Ivanti has released security updates to fix multiple vulnerabilities affecting all supported versions of Ivanti Avalanche.
The addressed vulnerabilities could allow the remote attacker to execute arbitrary code, gain access, perform server-side request forgery (SSRF), or trigger denial of services attacks on the affected products.
Sample of the addressed vulnerabilities:
1. Ivanti Wavelink Avalanche Premise Code Execution (CVE-2023-46222):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Ivanti Avalanche WLAvalancheService Denial of Service (CVE-2023-46803):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.