CVE-2022-36983

CVE Database · CVE-2022-36983

CVE-2022-36983

· CRITICALModified

CVSS v3.1

9.8

EPSS

4.69%

Published

Mar 29, 2023

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-306CWE-306

Affected Products (1)

ivanti · avalanche (up to 6.3.4)vulnerable

References (4)

https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt

Release Notes

https://www.zerodayinitiative.com/advisories/ZDI-22-788/

Third Party AdvisoryVDB Entry

https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt

Release Notes

https://www.zerodayinitiative.com/advisories/ZDI-22-788/

Third Party AdvisoryVDB Entry

KEV Catalog EPSS Scores Vendors All CVEs