CVE-2022-36983: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2022-36983 is an authentication bypass vulnerability affecting Ivanti Avalanche versions from 6.3.3.101 up to (excluding) 6.3.4. The vulnerability was discovered and reported to the vendor on December 8, 2021, and was publicly disclosed on May 26, 2022 (Zero Day Initiative).

The vulnerability exists within the SetSettings class of Ivanti Avalanche. The specific flaw results from the lack of authentication prior to allowing access to functionality. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness is categorized as CWE-306 (Missing Authentication for Critical Function) (NVD).

An attacker can leverage this vulnerability to bypass authentication on the system, potentially gaining unauthorized access to critical functionality. Given the CVSS score of 9.8, this vulnerability represents a critical risk to affected systems, with potential for complete compromise of system confidentiality, integrity, and availability (NVD).

Ivanti has released version 6.3.4 of Avalanche to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk. The fix is documented in the release notes under the reference ZDI-CAN-15919 (Release Notes).