CVE-2018-20812 — Sensitive Information Exposure in Pulse Secure Desktop Client

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 44.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pulsesecure Pulse Secure Desktop Client

Timeline

PublishedJun 28

Latest updateMay 24

Description

An information exposure issue where IPv6 DNS traffic would be sent outside of the VPN tunnel (when Traffic Enforcement was enabled) exists in Pulse Secure Pulse Secure Desktop 9.0R1 and below. This is applicable only to dual-stack (IPv4/IPv6) endpoints.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDpulsesecure/pulse_secure_desktop_client5 versions+4

🔴Vulnerability Details

GHSA

GHSA-64wp-r983-gxp4: An information exposure issue where IPv6 DNS traffic would be sent outside of the VPN tunnel (when Traffic Enforcement was enabled) exists in Pulse Se↗2022-05-24

▶

CVEList

CVE-2018-20812: An information exposure issue where IPv6 DNS traffic would be sent outside of the VPN tunnel (when Traffic Enforcement was enabled) exists in Pulse Se↗2019-03-16

▶