CVE-2023-32561: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2023-32561 is an authentication bypass vulnerability affecting Ivanti Avalanche, an enterprise mobility management solution. The vulnerability was discovered and reported by HackerOne in May 2023. The issue stems from a previously generated artifact by an administrator that could be accessed by an attacker, potentially leading to authentication bypass. The vulnerability affects versions prior to 6.4.1 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. HackerOne provided an alternative CVSS v3.0 score of 7.1 (High) with vector string CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows unauthorized access to administrator-generated artifacts, which could lead to authentication bypass in the Ivanti Avalanche system. This could potentially compromise the security of the enterprise mobility management solution used by organizations (SecurityWeek).

Ivanti has released version 6.4.1 of Avalanche to address this vulnerability along with several other security issues. Organizations using affected versions are strongly advised to upgrade to version 6.4.1 to mitigate the risk (SecurityWeek).