cbcvebase.
CVE-2022-36976
published 2023-03-29

CVE-2022-36976: This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.53%
92.9th percentile
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333.

Affected

11 ranges
VendorProductVersion rangeFixed in
ivantiavalanche
ivantiavalanche>= 6.3.2.3490 < 6.3.46.3.4
msrcwindows_10_version_1809
msrcwindows_10_version_1909
msrcwindows_10_version_20h2
msrcwindows_10_version_21h1
msrcwindows_10_version_21h2
msrcwindows_11_version_21h2
msrcwindows_server_2019
msrcwindows_server_2022
msrcwindows_server_version_20h2

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists within the GroupDaoImpl class; monitor for crafted HTTP requests targeting this class that may contain SQL injection payloads intended to bypass authentication
  • Target product and version for detection scope: Ivanti Avalanche 6.3.2.3490; alert on unauthenticated access attempts to protected endpoints on this platform
  • Classify as SQL injection (CWE-89) leading to authentication bypass; inspect request parameters for unsanitized SQL metacharacters (e.g., quotes, comment sequences) in inputs processed by GroupDaoImpl
  • ·Only Ivanti Avalanche version 6.3.2.3490 is confirmed affected per the advisory; detections should be scoped to this version to reduce false positives
  • ·The vulnerability is remotely exploitable with no authentication required (CVSS 9.8 Critical), meaning pre-auth network traffic should be the primary detection surface

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_msrc6.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.