CVE-2021-30497: Path Traversal
First published: Wed Apr 06 2022(Updated: )
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ivanti Avalanche | =6.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-30497?
The severity of CVE-2021-30497 is high with a CVSS score of 7.5.
How does Ivanti Avalanche (Premise) 6.3.2 allow remote unauthenticated users to read arbitrary files?
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files through Absolute Path Traversal.
What is the affected software and version of CVE-2021-30497?
The affected software is Ivanti Avalanche version 6.3.2.
How can I fix the Directory Traversal vulnerability in Ivanti Avalanche (Premise) 6.3.2?
To fix the Directory Traversal vulnerability in Ivanti Avalanche (Premise) 6.3.2, upgrade to a patched version provided by Ivanti.
Is there any further information available on CVE-2021-30497?
Yes, you can find further information on CVE-2021-30497 in the references provided: [link1], [link2], [link3].
- collector/nvd-index
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/tags
- agent/last-modified-date
- agent/softwarecombine
- agent/remedy
- agent/first-publish-date
- agent/event
- agent/type
- collector/mitre-cve
- source/MITRE
- vendor/ivanti
- canonical/ivanti avalanche
- version/ivanti avalanche/6.3.2