CVE-2021-42125: 
Ivanti Avalanche vulnerability analysis and mitigation

An unrestricted file upload vulnerability (CVE-2021-42125) was discovered in Ivanti Avalanche versions prior to 6.3.3. The vulnerability was disclosed on December 7, 2021, affecting the Inforail Service component of the software. This security flaw allows authenticated attackers with access to the Inforail Service to write dangerous files to the system (NVD, CVE Mitre).

The vulnerability exists within the FileStoreConfig app and stems from inadequate validation of user-supplied data. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The flaw is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-502 (Deserialization of Untrusted Data) (ZDI Advisory, NVD).

The vulnerability allows attackers to execute arbitrary code in the context of the service account, potentially leading to complete system compromise. The high CVSS score reflects the severe potential impact on the confidentiality, integrity, and availability of the affected system (ZDI Advisory).

The vulnerability has been fixed in Ivanti Avalanche version 6.3.3. Organizations running affected versions should upgrade to this version or later to mitigate the risk (NVD, ZDI Advisory).