CVE-2022-36972

Name of the Vulnerable Software and Affected Versions Ivanti Avalanche version 6.3.2.3490

Description This issue allows remote attackers to bypass authentication on affected installations. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string, such as the username and password variables. An attacker can leverage this issue to bypass authentication on the system.

Recommendations For Ivanti Avalanche version 6.3.2.3490, consider disabling the ProfileDaoImpl class until a patch is available to prevent exploitation. Restrict access to sensitive areas of the system to minimize the risk of unauthorized access. Avoid using user-supplied strings in SQL queries to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this issue.