CVE-2024-38653: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2024-38653 is an XML External Entity (XXE) vulnerability discovered in the SmartDeviceServer component of Ivanti Avalanche 6.3.1. The vulnerability affects multiple versions including 6.3.1, 6.4.0, 6.4.1, and 6.3.4, and allows remote unauthenticated attackers to read arbitrary files on the server (Security Online, NVD).

The vulnerability exists in the CheckinServlet.java file's doPut method, which processes incoming PUT requests to the /mdm/checkin endpoint. The issue stems from the XMLInputFactory not disabling the processing of external entities during XML parsing, specifically in the PList.decodeToMap method. The vulnerability has received a CVSS v3.1 base score of 7.5 (High) from NVD and 8.2 (High) from HackerOne, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Security Online, NVD).

The vulnerability allows attackers to read arbitrary files from the affected server, potentially exposing sensitive data and confidential information. While the current exploit is limited to reading single-line files due to XML library URL parsing constraints, it still poses a significant security risk (Security Online).

Ivanti has addressed this vulnerability in version 6.4.4 of Ivanti Avalanche. Organizations using affected versions (6.3.1, 6.4.0, 6.4.1, and 6.3.4) are strongly advised to upgrade to version 6.4.4 as soon as possible (Security Online).