Risk | High |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2018-20809 CVE-2018-20810 CVE-2018-20814 |
CWE-ID | CWE-20 CWE-326 CWE-79 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Pulse Connect Secure Server applications / Remote access servers, VPN Pulse Policy Secure Server applications / Remote access servers, VPN |
Vendor | Pulse Secure |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU35774
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2018-20809
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A crafted message can cause the web server to crash with Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R5 and Pulse Policy Secure 5.4RX before 5.4R5. This is not applicable to PCS 8.1RX.
MitigationInstall update from vendor's website.
Vulnerable software versionsPulse Connect Secure: 8.3
Pulse Policy Secure: 4.4 - 8.3
Fixed software versionsCPE2.3 External links
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
EUVDB-ID: #VU35775
Risk: High
CVSSv3.1:
CVE-ID: CVE-2018-20810
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices.
MitigationInstall update from vendor's website.
Vulnerable software versionsPulse Connect Secure: 8.3
Pulse Policy Secure: 5.4 - 8.3
Fixed software versionsCPE2.3 External links
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
EUVDB-ID: #VU35779
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2018-20814
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX or PPS 5.2RX.
MitigationInstall update from vendor's website.
Vulnerable software versionsPulse Connect Secure: 8.3
Pulse Policy Secure: 5.4 - 8.3
Fixed software versionsCPE2.3 External links
http://www.securityfocus.com/bid/109033
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?