Vulnerability Description
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15328.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ivanti | Avalanche | >= 6.3.2.3490, < 6.3.4 |
Related Weaknesses (CWE)
References
- https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txtRelease Notes
- https://www.zerodayinitiative.com/advisories/ZDI-22-777/Third Party AdvisoryVDB Entry
- https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txtRelease Notes
- https://www.zerodayinitiative.com/advisories/ZDI-22-777/Third Party AdvisoryVDB Entry
FAQ
What is CVE-2022-36972?
CVE-2022-36972 is a vulnerability with a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted reques...
How severe is CVE-2022-36972?
CVE-2022-36972 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-36972?
Check the references section above for vendor advisories and patch information. Affected products include: Ivanti Avalanche.