Main Vulnerability Database Vulnerabilities #VU27039

#VU27039 OS Command Injection in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure (formerly Pulse Policy Secure) - CVE-2019-11539

Published: April 20, 2020 / Updated: February 20, 2022

Vulnerability identifier: #VU27039

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green

CVE-ID: CVE-2019-11539

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
Ivanti Connect Secure (formerly Pulse Connect Secure)
Ivanti Policy Secure (formerly Pulse Policy Secure)

Software vendor:
Ivanti

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in admin web interface of Pulse Connect Secure and Pulse Policy Secure. A remote authenticated user can execute arbitrary OS commands.

Remediation

Install updates from vendor's website.

#VU27039 OS Command Injection in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure (formerly Pulse Policy Secure) - CVE-2019-11539

Description

Remediation

External links

Please verify you're human