CVE-2022-36981

Scores

EPSS

0.674medium67.4%

0%20%40%60%80%100%

Percentile: 67.4%

CVSS

9.8critical3.x

0246810

CVSS Score: 9.8/10

All CVSS Scores

CVSS 3.x

9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DeviceLogResource class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15966.

Scaner-VS 7 — a modern vulnerability management solution

Uses this database for vulnerability detection. High-speed search, cross-platform, advanced configuration audit, and flexible filtering. Suitable for organizations of any size.

Learn more about Scaner-VS 7

Sources

nvd

CWEs

CWE-22

Vulnerable Software (1)

Type: Configuration

Vendor: *

Product: avalanche

Operating System: * * *

Trait:

{  "cpe_match": [    {      "cpe23uri": "cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*",      "versionEndExcluding": "6.3.4",      "versionStartIncluding": "6.3.3.101",      "vulnerable": true    ...

{  "cpe_match": [    {      "cpe23uri": "cpe:2.3:a:ivanti:avalanche:*:*:*:*:*:*:*:*",      "versionEndExcluding": "6.3.4",      "versionStartIncluding": "6.3.3.101",      "vulnerable": true    }  ],  "operator": "OR"}

Source: nvd

End of list

Russian Vulnerability Scanner Database

CVE-2022-36981

Scores

EPSS

CVSS

All CVSS Scores

Vector Breakdown

CVSS

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact

Description

Scaner-VS 7 — a modern vulnerability management solution

Sources

CWEs

Vulnerable Software (1)