CVE-2021-42129: 
Ivanti Avalanche vulnerability analysis and mitigation

A command injection vulnerability (CVE-2021-42129) was discovered in Ivanti Avalanche versions prior to 6.3.3. The vulnerability was reported on September 22, 2021, and publicly disclosed on November 19, 2021. This security flaw affects the Inforail Service component of Ivanti Avalanche software (ZDI Advisory, NVD).

The vulnerability exists within the mapShare method of Ivanti Avalanche and is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command). The issue stems from inadequate validation of user-supplied strings before their use in system calls. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the service account. The high CVSS score reflects the potential for complete compromise of system confidentiality, integrity, and availability (ZDI Advisory).

The vulnerability has been addressed in Ivanti Avalanche version 6.3.3. Users are advised to upgrade to this version or later to mitigate the risk (ZDI Advisory).