CVE-2021-22908 — Classic Buffer Overflow in Pulse Connect Secure

CWE-120 — Classic Buffer Overflow3 documents3 sources

Severity

8.8HIGHNVD

EPSS

30.9%

top 3.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pulsesecure Pulse Connect Secure Ivanti Connect Secure

Timeline

PublishedMay 27

Latest updateMay 24

Description

A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not enabled by default.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDivanti/connect_secure9.0, 9.1+1

▶CVEListV5pulsesecure/pulse_connect_secureFixed in 9.1R11.5

▶NVDpulsesecure/pulse_connect_secure9.0rx

🔴Vulnerability Details

GHSA

GHSA-37f5-2q74-7wvc: A buffer overflow vulnerability exists in Windows File Resource Profiles in 9↗2022-05-24

▶

CVEList

CVE-2021-22908: A buffer overflow vulnerability exists in Windows File Resource Profiles in 9↗2021-05-27

▶