CVE-2024-47009: 
Ivanti Avalanche vulnerability analysis and mitigation

A path traversal vulnerability has been identified in Ivanti Avalanche versions prior to 6.4.5, tracked as CVE-2024-47009. This security flaw allows remote unauthenticated attackers to bypass authentication mechanisms. The vulnerability was disclosed on October 8, 2024, and received a Critical CVSS v3.1 base score of 9.8 from NIST NVD, while Ivanti assessed it with a High severity score of 7.3 (NVD, ZDI).

The vulnerability exists within the SecureFilter class of Ivanti Avalanche and stems from improper handling of URIs and their accompanying Content-Type HTTP request headers. The flaw is classified under CWE-22 (Path Traversal) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel). This implementation weakness allows attackers to leverage the vulnerability to bypass authentication controls (ZDI, NVD).

The exploitation of this vulnerability can lead to unauthorized access to the system, potentially compromising the confidentiality, integrity, and availability of the affected Avalanche installation. The critical CVSS score of 9.8 indicates severe potential consequences if successfully exploited (NVD).

Ivanti has released version 6.4.5 of Avalanche to address this vulnerability. Organizations running affected versions should upgrade to version 6.4.5 or later to mitigate this security risk (ZDI).