PT-2022-23719 · Ivanti · Ivanti Avalanche
Chudypb
+1
·
Published
2022-05-26
·
Updated
2023-04-05
·
CVE-2022-36975
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Ivanti Avalanche version 6.3.2.3490
Description
The issue allows remote attackers to bypass authentication on affected installations. The specific flaw exists within the
ProfileDaoImpl class, where a crafted request can trigger execution of SQL queries composed from a user-supplied string, enabling an attacker to bypass authentication on the system.Recommendations
For Ivanti Avalanche version 6.3.2.3490, consider disabling the
ProfileDaoImpl class until a patch is available to prevent exploitation of this issue. Restrict access to sensitive areas of the system to minimize the risk of unauthorized access.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ivanti Avalanche