CVE-2019-11538 โ€” Link Following in Ivanti Connect Secure

CWE-59 โ€” Link Following8 documents5 sources
Severity
7.7HIGHNVD
EPSS
3.1%
top 13.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ivanti Connect Secure
Timeline
PublishedApr 26
Latest updateJun 18

Description

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages1 packages

โ–ถNVDivanti/connect_secure4 versions+3

๐Ÿ”ดVulnerability Details

2
GHSA
GHSA-9c6c-f33q-qhr3: In Pulse Secure Pulse Connect Secure version 9โ†—2022-05-24
โ–ถ
CVEList
CVE-2019-11538: In Pulse Secure Pulse Connect Secure version 9โ†—2019-04-26
โ–ถ

๐Ÿ•ต๏ธThreat Intelligence

1
Tenable
CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secureโ†—2019-08-21
โ–ถ

๐Ÿ’ฌCommunity

4
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ (โ–ˆโ–ˆโ–ˆ)โ†—2024-06-18
โ–ถ
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://โ–ˆโ–ˆโ–ˆโ–ˆโ†—2021-07-29
โ–ถ
HackerOne
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://โ–ˆโ–ˆโ–ˆโ†—2019-12-02
โ–ถ
HackerOne
Potential pre-auth RCE on Twitter VPNโ†—2019-08-10
โ–ถ
CVE-2019-11538 โ€” Link Following in Ivanti | cvebase