#VU36717 Open redirect in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure (formerly Pulse Policy Secure)
Vulnerability identifier: #VU36717
Vulnerability risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-601
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Ivanti Connect Secure (formerly Pulse Connect Secure)
Server applications /
Remote access servers, VPN
Ivanti Policy Secure (formerly Pulse Policy Secure)
Server applications /
Remote access servers, VPN
Vendor: Ivanti
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
download.cgi in Pulse Secure Pulse Connect Secure 8.1RX before 8.1R13 and 8.3RX before 8.3R4 and Pulse Policy Secure through 5.2RX before 5.2R10 and 5.4RX before 5.4R4 have an Open Redirect Vulnerability.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Ivanti Connect Secure (formerly Pulse Connect Secure): 8.1 - 8.3rx
Ivanti Policy Secure (formerly Pulse Policy Secure): 5.2R1.0 - 8.3rx
External links
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
