CVE-2019-11508 — Path Traversal in Ivanti Connect Secure

CWE-22 — Path Traversal6 documents4 sources

Severity

7.2HIGHNVD

EPSS

4.1%

top 11.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ivanti Connect Secure Pulsesecure Pulse Connect Secure

Timeline

PublishedMay 8

Latest updateJun 18

Description

In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an authenticated attacker (via the admin web interface) can exploit Directory Traversal to execute arbitrary code on the appliance.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDpulsesecure/pulse_connect_secure7.4

▶NVDivanti/connect_secure6 versions+5

Patches

Patch: kb.pulsesecure.net ↗Patch: kb.pulsesecure.net ↗

🔴Vulnerability Details

GHSA

GHSA-3rh3-mwf4-58r4: In Pulse Secure Pulse Connect Secure (PCS) before 8↗2022-05-24

▶

CVEList

CVE-2019-11508: In Pulse Secure Pulse Connect Secure (PCS) before 8↗2019-05-08

▶

💬Community

HackerOne

Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)↗2024-06-18

▶

HackerOne

Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████↗2021-07-29

▶

HackerOne

Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███↗2019-12-02

▶