CVE-2023-41474: 
Ivanti Avalanche vulnerability analysis and mitigation

A directory traversal vulnerability (CVE-2023-41474) was discovered in Ivanti Avalanche version 6.3.4.153. The vulnerability allows a remote authenticated attacker to obtain sensitive information through the javax.faces.resource component. The issue was disclosed on January 25, 2024, affecting Ivanti Avalanche's on-premise installations (NVD, MITRE CVE).

The vulnerability is a path traversal issue that enables access to files under the C:\PROGRAM DATA\Wavelink\AVALANCHE\Web\webapps\AvalancheWeb directory. The exploitation can be performed using the URL pattern: /AvalancheWeb//faces/javax.faces.resource/?loc=. Only specific file extensions like .xml and .html are accessible, depending on .htaccess rules. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD, Security Online).

The vulnerability can lead to unauthorized access to configuration settings and internal information. In more severe scenarios, attackers could potentially access memory dump files (dump.hprof) that may contain sensitive information such as login credentials, which could be used for session hijacking and complete server compromise. This information could enable privilege escalation or lateral movement within the environment (Security Online).

Organizations running Ivanti Avalanche version 6.3.4.153 should apply any available security updates from the vendor. Additionally, organizations should monitor for unauthorized access attempts and ensure proper access controls are in place for sensitive system files (NVD).