CVE-2023-46266: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2023-46266 is a security vulnerability discovered in Ivanti Avalanche that affects versions 6.3.1 and above, including all supported versions. The vulnerability was disclosed in December 2023 and allows an attacker to send specially crafted requests that could lead to sensitive data exposure or potential resource-based denial of service attacks (Ivanti Blog).

The vulnerability exists within the SecureFilter class and stems from improper handling of the requested URI and accompanying Content-Type HTTP request header. The vulnerability has received varying CVSS scores, with NVD assigning a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), while HackerOne rated it at 7.3 HIGH (Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) (ZDI Advisory).

The vulnerability can lead to two primary impacts: the leakage of sensitive data and the potential for resource-based denial of service attacks. Authentication is not required to exploit this vulnerability, making it particularly severe (NVD).

Ivanti has released version 6.4.2 of Avalanche which includes fixes for this vulnerability. Users are advised to upgrade to this version to address the security issue. The fix was part of a larger security update that addressed multiple vulnerabilities (Release Notes).