This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.
References
Link | Resource |
---|---|
https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt | Release Notes |
https://www.zerodayinitiative.com/advisories/ZDI-22-788/ | Third Party Advisory VDB Entry |
Configurations
History
28 Apr 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:* | |
Summary | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919. | |
CWE | CWE-306 | |
References | (MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-788/ - Third Party Advisory, VDB Entry | |
References | (MISC) https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt - Release Notes |
29 Mar 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-03-29 19:15
Updated : 2024-02-04 23:37
NVD link : CVE-2022-36983
Mitre link : CVE-2022-36983
CVE.ORG link : CVE-2022-36983
JSON object : View
Products Affected
ivanti
- avalanche
CWE
CWE-306
Missing Authentication for Critical Function