Input validation error in Pulse Connect Secure



Published: 2018-05-10 | Updated: 2020-08-08
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-9849
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Pulse Connect Secure
Server applications / Remote access servers, VPN

Vendor Pulse Secure

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Input validation error

EUVDB-ID: #VU37141

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2018-9849

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Pulse Secure Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial of service (memory consumption and memory errors) via a crafted XML document.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.3 - 8.3R4


CPE2.3 External links

http://www.securityfocus.com/bid/104160
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43730

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###