CVE-2024-38653

Name of the Vulnerable Software and Affected Versions Ivanti Avalanche version 6.3.1

Description The issue is related to an XML External Entity (XXE) flaw in the SmartDeviceServer component of Ivanti Avalanche. This flaw allows a remote unauthenticated attacker to read arbitrary files on the server, potentially disclosing protected information. The vulnerability is associated with incorrect restriction of XML links to external objects.

Recommendations For Ivanti Avalanche version 6.3.1, consider disabling the decodeToMap XML External Entity Processing function as a temporary workaround until a patch is available. Restrict access to the SmartDeviceServer component to minimize the risk of exploitation. Avoid using the vulnerable XML processing functionality in the affected server until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.