Permissions, Privileges, and Access Controls in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure (formerly Pulse Policy Secure) - CVE-2020-11582
Published: April 9, 2020
Vulnerability identifier: #VU26750
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-11582
CWE-ID: CWE-264
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Ivanti
Affected software:
Ivanti Connect Secure (formerly Pulse Connect Secure)
Ivanti Policy Secure (formerly Pulse Policy Secure)
Ivanti Connect Secure (formerly Pulse Connect Secure)
Ivanti Policy Secure (formerly Pulse Policy Secure)
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to the applet in tncc.jar launches a TCP server that accepts local connections on a random port and can be reached by local HTTP clients. A remote attacker can use this issue to gather information from the system or perform further interactions with the victim's system.
How to mitigate CVE-2020-11582
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.