Main Vulnerability Database Vulnerabilities #VU40393

Improper access control in Ivanti Connect Secure (formerly Pulse Connect Secure) - CVE-2016-3985

Published: April 12, 2016 / Updated: August 9, 2020

Vulnerability identifier: #VU40393

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-3985

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ivanti

Affected software:
Ivanti Connect Secure (formerly Pulse Connect Secure)

Detailed vulnerability description

The vulnerability allows a remote authenticated user to manipulate data.

The Terminal Services Remote Desktop Protocol (RDP) client session restrictions feature in Pulse Connect Secure (aka PCS) 8.1R7 and 8.2R1 allow remote authenticated users to bypass intended access restrictions via unspecified vectors.

How to mitigate CVE-2016-3985

Install update from vendor's website.

Sources

http://www.securitytracker.com/id/1035129
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40166

Improper access control in Ivanti Connect Secure (formerly Pulse Connect Secure) - CVE-2016-3985

Detailed vulnerability description

How to mitigate CVE-2016-3985

Sources

Please verify you're human