CVE-2022-36976

Name of the Vulnerable Software and Affected Versions Ivanti Avalanche version 6.3.2.3490

Description This issue allows remote attackers to bypass authentication on affected installations. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string, such as the username and password variables. An attacker can leverage this issue to bypass authentication on the system.

Recommendations For Ivanti Avalanche version 6.3.2.3490, consider disabling the GroupDaoImpl class or restricting access to it until a patch is available. As a temporary workaround, avoid using user-supplied strings in SQL queries to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.