CVE-2019-11509 — Ivanti Connect Secure vulnerability

3 documents3 sources

Severity

8.8HIGHNVD

EPSS

4.2%

top 11.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ivanti Connect Secure Ivanti Policy Secure Pulsesecure Pulse Policy Secure

Timeline

PublishedJun 3

Latest updateMay 24

Description

In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 and Pulse Policy Secure (PPS) before 5.1R15.1, 5.2 before 5.2R12.1, 5.3 before 5.3R15.1, 5.4 before 5.4R7.1, and 9.0 before 9.0R3.2, an authenticated attacker (via the admin web interface) can exploit Incorrect Access Control to execute arbitrary code on the appliance.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDpulsesecure/pulse_policy_secure5.2, 5.4+1

▶NVDivanti/policy_secure9.0

▶NVDivanti/connect_secure4 versions+3

🔴Vulnerability Details

GHSA

GHSA-f2cx-w4q6-4qq4: In Pulse Secure Pulse Connect Secure (PCS) before 8↗2022-05-24

▶

CVEList

CVE-2019-11509: In Pulse Secure Pulse Connect Secure (PCS) before 8↗2019-06-03

▶