CVE-2023-46265: 
Ivanti Avalanche vulnerability analysis and mitigation

An unauthenticated attacker could exploit an XML External Entity (XXE) vulnerability in the Smart Device Server component of Ivanti Avalanche to leak data or perform Server-Side Request Forgery (SSRF). The vulnerability affects all supported versions of Avalanche 6.3.1 and above, with older versions also being at risk (Ivanti Blog).

The vulnerability exists within the decode method of Ivanti Avalanche. Due to improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, ZDI Advisory).

An attacker can leverage this vulnerability to disclose sensitive information in the context of SYSTEM. The vulnerability allows remote attackers to disclose sensitive information on affected installations of Ivanti Avalanche without requiring authentication (ZDI Advisory).

Ivanti has released version 6.4.2 of Avalanche to address this vulnerability along with several other security issues. Users are advised to upgrade to this version to mitigate the risk (Release Notes).