CVE-2024-13180

High

Published: 14 January 2025

Published

14 January 2025

Modified

16 January 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.3851 97.3th percentile

Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Description

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

Security Summary

CVE-2024-13180 is a path traversal vulnerability (CWE-22) affecting Ivanti Avalanche versions prior to 6.4.7. It enables a remote unauthenticated attacker to leak sensitive information and represents incomplete fixes from the related CVE-2024-47011. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges, user interaction, or scope changes.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity to read arbitrary files on the affected system, potentially exposing sensitive data such as configuration files or other restricted information.

Ivanti's security advisory for Avalanche 6.4.7 addresses this and multiple other CVEs, recommending an update to version 6.4.7 or later as the primary mitigation. Additional details are available in the official advisory at https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs.

Details

CWE(s): CWE-22

Affected Products

ivanti

avalanche

≤ 6.4.7

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75