CVE-2021-22962: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2021-22962 is an authentication bypass vulnerability affecting Ivanti Avalanche software. The vulnerability was discovered and disclosed in late 2023, affecting Ivanti Avalanche versions 6.3.1 and above, including all supported versions of the product. An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack (NVD, Ivanti Blog).

The vulnerability specifically exists within the allowPassThrough method of Ivanti Avalanche's SecureFilter component. The issue results from incorrect string matching when making an authorization decision. The CVSS v3.1 base score is 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) according to NVD's assessment, while HackerOne rated it with a CVSS score of 7.3 HIGH (Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) (ZDI Advisory, NVD).

The vulnerability can allow remote attackers to partially bypass authentication on affected installations of Ivanti Avalanche. If successfully exploited, it could lead to leakage of sensitive data and potentially result in a resource-based denial of service (DoS) attack. Authentication is not required to exploit this vulnerability (ZDI Advisory, NVD).

Ivanti has addressed this vulnerability in Avalanche version 6.4.2. Users are strongly advised to upgrade to this version to protect against potential exploitation. The fix was part of a larger security hardening update that addressed multiple vulnerabilities (Release Notes, Ivanti Blog).