Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2023-41726
CVE-2023-41726:
Ivanti Avalanche vulnerability analysis and mitigation
Overview
Ivanti Avalanche Incorrect Default Permissions vulnerability (CVE-2023-41726) was discovered and published on November 3, 2023. This vulnerability affects Ivanti Avalanche installations up to version 6.4.1.236. The issue stems from incorrect permissions set on product folders created by the installer (NVD, ZDI).
Technical details
The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The specific flaw exists within the product installer, where incorrect default permissions are set on product folders during installation. This vulnerability is classified as CWE-276 (Incorrect Default Permissions) (NVD).
Impact
The vulnerability allows local attackers with low-privileged access to escalate privileges and execute arbitrary code in the context of SYSTEM on affected installations of Ivanti Avalanche (ZDI).
Mitigation and workarounds
Ivanti has addressed this vulnerability in version 6.4.1.236. Users are advised to upgrade to this version to mitigate the risk (Release Notes).
Additional resources
Source: This report was generated using AI
Related Ivanti Avalanche vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management