CVE-2024-47011 Overview
CVE-2024-47011 is a path traversal vulnerability [CWE-22] affecting Ivanti Avalanche before version 6.4.5. The flaw allows a remote, unauthenticated attacker to read files outside the intended directory and leak sensitive information from the server. Exploitation requires no user interaction and can be performed over the network against exposed Avalanche instances. Ivanti addressed the issue in the 6.4.5 release published through its security advisory portal. The vulnerability carries an EPSS probability of 44.037% (percentile 97.59), indicating elevated likelihood of exploitation activity relative to other published CVEs.
Critical Impact
Unauthenticated remote attackers can traverse the file system on vulnerable Ivanti Avalanche servers and exfiltrate sensitive data without credentials or user interaction.
Affected Products
- Ivanti Avalanche (premise) versions prior to 6.4.5
- Ivanti Avalanche Enterprise Mobility Management deployments
- On-premise Avalanche servers exposing the management interface to untrusted networks
Discovery Timeline
- 2024-10-08 - CVE-2024-47011 published to NVD
- 2024-10-16 - Last updated in NVD database
Technical Details for CVE-2024-47011
Vulnerability Analysis
The vulnerability is a path traversal weakness [CWE-22] in the Ivanti Avalanche premise product. Avalanche fails to properly canonicalize and validate user-supplied path parameters before using them in file access operations. An attacker can supply traversal sequences such as ../ to escape the intended directory and reference arbitrary files on the host. Because the affected request path does not require authentication, attackers can read sensitive files reachable by the Avalanche service account. The disclosure scope is limited to confidentiality, with no integrity or availability impact reported by the vendor.
Root Cause
The root cause is insufficient input validation on file path parameters processed by the Avalanche server. The application accepts path segments from remote callers and uses them in file system operations without enforcing a base directory or rejecting traversal characters. This pattern allows references outside the intended content root.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker sends a crafted HTTP request to an exposed Avalanche endpoint containing directory traversal sequences in a path parameter. The server resolves the manipulated path and returns the contents of a file outside the intended scope. No code execution, privilege escalation, or modification of data is required to achieve information disclosure. Refer to the Ivanti Avalanche 6.4.5 Security Advisory for vendor-specific technical details.
Detection Methods for CVE-2024-47011
Indicators of Compromise
- HTTP requests to Avalanche endpoints containing ../, ..%2f, ..\, or URL-encoded traversal sequences in path or query parameters
- Unexpected outbound responses from Avalanche servers containing contents of system files such as web.config, configuration databases, certificates, or credential files
- Web server access logs showing anomalous file paths or HTTP 200 responses to requests targeting paths outside the application root
Detection Strategies
- Inspect Avalanche web server and reverse proxy logs for path parameters containing traversal patterns and encoded variants
- Deploy web application firewall signatures that flag directory traversal sequences against Avalanche URIs
- Correlate large or unusual response bodies returned by Avalanche endpoints with the originating request paths to identify file leakage
Monitoring Recommendations
- Forward Avalanche IIS or web server logs to a centralized logging platform for query and retention
- Alert on unauthenticated requests to Avalanche endpoints originating from external networks
- Baseline normal Avalanche API traffic and flag deviations in URI structure, request volume, or response size
How to Mitigate CVE-2024-47011
Immediate Actions Required
- Upgrade Ivanti Avalanche to version 6.4.5 or later as published in the Ivanti Avalanche 6.4.5 Security Advisory
- Restrict network access to the Avalanche management interface to trusted administrative subnets and VPN ranges
- Review web server access logs for prior exploitation attempts containing traversal sequences
- Rotate credentials, certificates, and secrets stored on the Avalanche server if exposure is suspected
Patch Information
Ivanti released Avalanche 6.4.5 to remediate this issue. Administrators should download the update from the Ivanti customer portal and apply it to all on-premise Avalanche servers. Review the vendor advisory for the complete list of fixes bundled in the same release, as multiple vulnerabilities were addressed concurrently.
Workarounds
- Place Avalanche behind a reverse proxy or WAF that blocks requests containing traversal sequences and encoded variants
- Limit inbound access to Avalanche to authenticated administrators through network segmentation and firewall rules
- Disable or restrict any non-essential Avalanche services exposed over the network until patching is complete
# Example WAF rule fragment to block path traversal attempts targeting Avalanche
SecRule REQUEST_URI "@rx (\.\./|\.\.%2f|\.\.%5c|%2e%2e/)" \
"id:1004701,phase:1,deny,status:403,msg:'Path traversal attempt against Avalanche'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
