cbcvebase.
CVE-2022-36979
published 2023-03-29

CVE-2022-36979: This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.53%
92.9th percentile
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSupport class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15493.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivantiavalanche
ivantiavalanche>= 6.3.2.3490 < 6.3.46.3.4

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability resides in the AvalancheDaoSupport class; monitor for crafted HTTP requests targeting this class that contain SQL injection payloads intended to bypass authentication
  • Focus detection on authentication bypass attempts against Ivanti Avalanche 6.3.2.3490 endpoints — look for anomalous SQL metacharacters or boolean-based injection strings in authentication request parameters
  • ·Exploitation requires an initial authentication step, but the existing authentication mechanism itself can be bypassed via the SQL injection — defenders should not assume pre-auth network controls alone are sufficient
  • ·The confirmed affected version is Ivanti Avalanche 6.3.2.3490; scope detection and patching efforts to this version specifically, while also auditing adjacent versions

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.