CVE-2023-32564: 
Ivanti Avalanche vulnerability analysis and mitigation

An unrestricted upload of file with dangerous type vulnerability (CVE-2023-32564) was identified in Ivanti Avalanche versions 6.4.1 and below. The vulnerability was discovered in May 2023 and publicly disclosed on August 15, 2023. This security flaw affects Ivanti's enterprise mobile device management (MDM) solution, Avalanche (NVD, SecurityWeek).

The vulnerability exists within the FileStoreConfig app and stems from inadequate validation of user-supplied data, which enables the upload of arbitrary files. The flaw has been assigned a CVSS v3.1 base score of 9.8 (Critical) by NIST, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. However, HackerOne assessed it with a CVSS score of 6.8 (Medium). The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (ZDI, NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of SYSTEM privileges on affected installations of Ivanti Avalanche. Authentication is required to exploit this vulnerability (ZDI).

Ivanti has addressed this vulnerability by releasing version 6.4.1.207 of Avalanche. Organizations using affected versions are strongly advised to upgrade to the patched version (SecurityWeek, ZDI).