CVE-2022-36983

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*

History

28 Apr 2023, 21:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*
Summary This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.3.101. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919. This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.
CWE CWE-749 CWE-306
References (MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-788/ - (MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-788/ - Third Party Advisory, VDB Entry
References (MISC) https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt - (MISC) https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt - Release Notes

29 Mar 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-03-29 19:15

Updated : 2024-02-04 23:37


NVD link : CVE-2022-36983

Mitre link : CVE-2022-36983

CVE.ORG link : CVE-2022-36983


JSON object : View

Products Affected

ivanti

  • avalanche
CWE
CWE-306

Missing Authentication for Critical Function