CVE-2022-36976
published 2023-03-29CVE-2022-36976: This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.53%
92.9th percentile
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | avalanche | — | — |
| ivanti | avalanche | >= 6.3.2.3490 < 6.3.4 | 6.3.4 |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1909 | — | — |
| msrc | windows_10_version_20h2 | — | — |
| msrc | windows_10_version_21h1 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_11_version_21h2 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
| msrc | windows_server_version_20h2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exists within the GroupDaoImpl class; monitor for crafted HTTP requests targeting this class that may contain SQL injection payloads intended to bypass authentication ↗
- →Target product and version for detection scope: Ivanti Avalanche 6.3.2.3490; alert on unauthenticated access attempts to protected endpoints on this platform ↗
- →Classify as SQL injection (CWE-89) leading to authentication bypass; inspect request parameters for unsanitized SQL metacharacters (e.g., quotes, comment sequences) in inputs processed by GroupDaoImpl ↗
- ·Only Ivanti Avalanche version 6.3.2.3490 is confirmed affected per the advisory; detections should be scoped to this version to reduce false positives ↗
- ·The vulnerability is remotely exploitable with no authentication required (CVSS 9.8 Critical), meaning pre-auth network traffic should be the primary detection surface ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_msrc6.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2022-36976
vendor_ivanti·2023-03-29·CVSS 9.8
CVE-2022-36976 [CRITICAL] CWE-89 Ivanti Security Advisory: CVE-2022-36976
Ivanti Security Advisory: CVE-2022-36976
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333.
CVE IDs: CVE-2022-36976
CVSS Base Score: 9.8
Severity: CRITICAL
CWEs: CWE-89
Microsoft
Libarchive Remote Code Execution Vulnerability
vendor_msrc·2022-01-11·CVSS 6.5
CVE-2021-36976 [MEDIUM] Libarchive Remote Code Execution Vulnerability
Libarchive Remote Code Execution Vulnerability
FAQ: Why is this a MITRE Corporation CVE?
CVE-2021-36976 is regarding a vulnerability in the libarchive open source library which is used by Windows. The January 2022 Windows Security Updates include the most recent version of this library which addresses the vulnerability and others. Please see libarchive CVEs for more information regarding all of the vulnerabilities that have been addressed.
Windows Libarchive: Windows Libarchive
MITRE Corporation: MITRE Corporation
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:Yes;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely
Reference: https://catalog.update.microsoft.com/v7/site/Search.a
VulDB
Ivanti Avalanche 6.3.2.3490 Request GroupDaoImpl sql injection (ZDI-22-781 / EUVD-2022-39633)
vuldb·2026-06-18·CVSS 9.8
CVE-2022-36976 [CRITICAL] Ivanti Avalanche 6.3.2.3490 Request GroupDaoImpl sql injection (ZDI-22-781 / EUVD-2022-39633)
A vulnerability categorized as critical has been discovered in Ivanti Avalanche 6.3.2.3490. Impacted is the function GroupDaoImpl of the component Request Handler. The manipulation results in sql injection.
This vulnerability is identified as CVE-2022-36976. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-88wg-fvch-429c: This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6
ghsa_unreviewed·2023-03-29
CVE-2022-36976 [CRITICAL] CWE-89 GHSA-88wg-fvch-429c: This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-29
Published