CVE-2022-36981: 
Ivanti Avalanche vulnerability analysis and mitigation

A directory traversal vulnerability (CVE-2022-36981) was discovered in Ivanti Avalanche version 6.3.3.101. This vulnerability enables remote attackers to execute arbitrary code on affected installations. While authentication is required, the existing authentication mechanism can be bypassed (Zero Day Initiative).

The vulnerability exists within the DeviceLogResource class and stems from inadequate validation of user-supplied paths before their use in file operations. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) from NIST NVD, while Zero Day Initiative assigned it a score of 8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the service account, potentially gaining significant control over the affected system (Zero Day Initiative).

Ivanti has addressed this vulnerability in Avalanche version 6.3.4. Users are advised to upgrade to this version to protect against potential exploitation. The fix is documented in the release notes under reference ZDI-CAN-15966 (Release Notes).