PT-2021-5240 · Ivanti · Ivanti Avalanche

Published

2021-09-22

Updated

2021-12-08

CVE-2021-42127

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Ivanti Avalanche versions prior to 6.3.3

Description The issue is related to a deserialization of untrusted data vulnerability in the StatServer service of Ivanti Avalanche. This vulnerability can be exploited by a remote attacker to execute arbitrary code by sending specially crafted data. The vulnerability is associated with the Inforail Service and can be exploited via the Data Repository Service.

Recommendations For versions prior to 6.3.3, update to version 6.3.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Data Repository Service to minimize the risk of exploitation. Avoid using the Inforail Service until the issue is resolved.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2021-06044

CVE-2021-42127

ZDI-21-1323

Affected Products

Ivanti Avalanche

PT-2021-5240 · Ivanti · Ivanti Avalanche

CVE-2021-42127

Weakness Enumeration

Related Identifiers

Affected Products

References · 11