CVE-2023-46263: 
Ivanti Avalanche vulnerability analysis and mitigation

An unrestricted upload of file with dangerous type vulnerability exists in Ivanti Avalanche versions 6.4.1 and below that could allow an attacker to achieve remote code execution. The vulnerability was discovered and reported through Trend Micro's Zero Day Initiative and was assigned CVE-2023-46263. The issue was addressed in Avalanche version 6.4.2, released in December 2023 (NVD, ZDI).

The vulnerability exists within the FileStoreConfig app of Ivanti Avalanche. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in the upload of arbitrary files. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while HackerOne assigned it a score of 7.2 (HIGH) with a vector string of CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD, ZDI).

An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of SYSTEM on affected installations of Ivanti Avalanche. Authentication is required to exploit this vulnerability (ZDI).

Ivanti has released version 6.4.2 of Avalanche to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk. The fix is included in the security hardening updates of version 6.4.2 (Ivanti, Release Notes).