CVE-2022-36975: 
Ivanti Avalanche vulnerability analysis and mitigation

This vulnerability (CVE-2022-36975) affects Ivanti Avalanche version 6.3.2.3490, allowing remote attackers to bypass authentication. The vulnerability exists within the ProfileDaoImpl class, where a crafted request can trigger execution of SQL queries composed from user-supplied strings (NVD, ZDI Advisory).

The vulnerability is classified as SQL Injection (CWE-89) and has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Zero Day Initiative assigned a slightly lower but still critical CVSS score of 9.1 with vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability allows attackers to bypass authentication on the system, potentially gaining unauthorized access to the Ivanti Avalanche installation. This could lead to complete system compromise due to the critical nature of the vulnerability as indicated by its CVSS score (NVD).

Ivanti has released version 6.3.4 to address this vulnerability. Users should upgrade to this version to mitigate the risk. The fix is documented in the release notes under the reference ZDI-CAN-15332 (Release Notes).