CVE-2022-36983

Опубликовано: 29 мар. 2023

Источник: nvd

CVSS3: 7.5

CVSS3: 9.8

EPSS Средний

Описание

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.

Ссылки

https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt
Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-788/
Third Party Advisory
VDB Entry
https://download.wavelink.com/Files/avalanche_v6.3.4_release_notes.txt
Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-22-788/
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*

Версия от 6.3.3.101 (включая) до 6.3.4 (исключая)

EPSS

Процентиль: 97%

0.36292

Средний

7.5 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-306

Связанные уязвимости

GHSA-xv6g-6g23-79w2

CVSS3: 9.8

github

около 3 лет назад

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.3.101. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.

EPSS

Процентиль: 97%

0.36292

Средний

7.5 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-306