CVE-2018-20810 — Inadequate Encryption Strength in Ivanti Connect Secure

CWE-326 — Inadequate Encryption Strength3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

1.5%

top 18.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ivanti Connect Secure Pulsesecure Pulse Policy Secure

Timeline

PublishedJun 28

Latest updateMay 24

Description

Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDpulsesecure/pulse_policy_secure5.4

▶NVDivanti/connect_secure8.3

🔴Vulnerability Details

GHSA

GHSA-g8vh-4gxx-phq3: Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8↗2022-05-24

▶

CVEList

CVE-2018-20810: Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8↗2019-03-16

▶