CVE-2024-13181

CVE-2024-13181 is a path traversal vulnerability (CWE-22) in Ivanti Avalanche software versions prior to 6.4.7 that enables authentication bypass (CWE-288). It stems from incomplete fixes applied for the related CVE-2024-47010. The issue allows attackers to manipulate file paths in requests to access restricted resources without valid credentials. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious requests that traverse directories, the attacker bypasses authentication mechanisms, potentially gaining unauthorized access to sensitive files or functionalities within the Avalanche management server. Successful exploitation could result in limited impacts: low-level disclosure of confidential information, minor integrity modifications, or slight denial of service.

Ivanti's security advisory for Avalanche 6.4.7 addresses this and multiple related CVEs, recommending immediate upgrade to version 6.4.7 or later to apply the complete fixes. The advisory is available at https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs. Practitioners should verify installations, monitor for anomalous path traversal attempts in logs, and restrict network exposure of Avalanche servers until patched.