CVE-2019-11213 — Session Fixation in Ivanti Connect Secure

CWE-384 — Session Fixation4 documents4 sources

Severity

8.1HIGHNVD

EPSS

2.5%

top 14.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ivanti Connect Secure Pulsesecure Pulse Connect Secure Pulsesecure Pulse Secure Desktop Client

Timeline

PublishedApr 12

Latest updateMay 13

Description

In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure Desktop 5.3R7 and Pulse Desktop Client 9.x before Secure Desktop 9.0R3. It also affects (for Network Connect customers) Pulse Connect Secure 8.1 be…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDpulsesecure/pulse_secure_desktop_client5.0r1.0 — 5.3r7+1

▶NVDpulsesecure/pulse_connect_secure8.3r1 — 8.3r7+1

▶NVDivanti/connect_secure9.0r1 — 9.0r3

🔴Vulnerability Details

GHSA

GHSA-q822-4vp5-26qj: In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain↗2022-05-13

▶

CVEList

CVE-2019-11213: In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain↗2019-04-12

▶

💬Community

Bugzilla

CVE-2018-11213 libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c↗2018-05-18

▶