CVE-2023-28126

CVE Database · CVE-2023-28126

CVE-2023-28126

· MEDIUMModified

CVSS v3.1

5.9

EPSS

66.66%

Published

May 9, 2023

Modified

Jan 29, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-305CWE-362CWE-362

Affected Products (1)

ivanti · avalanchevulnerable

References (2)

https://forums.ivanti.com/s/article/ZDI-CAN-17750-Ivanti-Avalanche-EnterpriseServer-GetSettings-Exposed-Dangerous-Method-Authentication-Bypass-Vulnerability?language=en_US

Vendor Advisory

https://forums.ivanti.com/s/article/ZDI-CAN-17750-Ivanti-Avalanche-EnterpriseServer-GetSettings-Exposed-Dangerous-Method-Authentication-Bypass-Vulnerability?language=en_US

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs