CVE-2024-38652: 
Ivanti Avalanche vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-38652) was discovered in the skin management component of Ivanti Avalanche 6.3.1. The vulnerability was reported on July 18, 2023, and publicly disclosed on August 13, 2024. This security flaw affects multiple versions of Ivanti Avalanche, from version 6.3.1 through 6.4.2 (NVD).

The vulnerability exists within the deleteSkin method and stems from improper validation of user-supplied paths before their use in file operations. It has been assigned a CVSS v3.1 base score of 9.1 (Critical) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (ZDI, NVD).

The vulnerability allows remote attackers to delete arbitrary files on affected installations of Ivanti Avalanche. The impact is particularly severe as the file deletion occurs in the context of SYSTEM privileges, potentially leading to denial of service conditions (ZDI).

Ivanti has released an update to address this vulnerability. Users are advised to upgrade to the patched version as detailed in the vendor's security advisory (Ivanti Advisory).