Pulse Secure 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk input validation and vendor risk csrf などに関し、一部は vendor impact unexpected behavior を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2022-21826 | Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS. | [email protected] | 5.4 | 5.90% | 2022-09-30 | 2024-11-21 |
| CVE-2021-44720 | In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role. | [email protected] | 7.2 | 2.61% | 2022-08-12 | 2024-11-21 |
| CVE-2021-22965 | A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an unauthenticated administrator to causes a denial of service when a malformed request is sent to the device. | [email protected] | 7.5 | 13.62% | 2021-11-19 | 2024-11-21 |
| CVE-2021-22938 | A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console. | [email protected] | 7.2 | 4.29% | 2021-08-16 | 2024-11-21 |
| CVE-2021-22937 | A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface. | [email protected] | 7.2 | 10.25% | 2021-08-16 | 2024-11-21 |
| CVE-2021-22936 | A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter. | [email protected] | 6.1 | 0.12% | 2021-08-16 | 2024-11-21 |
| CVE-2021-22935 | A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter. | [email protected] | 7.2 | 4.29% | 2021-08-16 | 2024-11-21 |
| CVE-2021-22934 | A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request. | [email protected] | 7.2 | 4.68% | 2021-08-16 | 2024-11-21 |
| CVE-2021-22933 | A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request. | [email protected] | 6.5 | 6.38% | 2021-08-16 | 2024-11-21 |
| CVE-2021-22908 | A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not enabled by default. | [email protected] | 8.8 | 22.68% | 2021-05-27 | 2024-11-21 |
| CVE-2021-22900 KEV | A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface. | [email protected] | 7.2 | 0.98% | 2021-05-27 | 2025-12-18 |
| CVE-2021-31922 | An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3. | [email protected] | 7.5 | 0.19% | 2021-05-14 | 2024-11-21 |
| CVE-2021-22887 | A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) models PSA5000 and PSA7000 could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device. | [email protected] | 2.3 | 0.06% | 2021-03-16 | 2024-11-21 |
| CVE-2020-8263 | A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file. | [email protected] | 5.4 | 0.35% | 2020-10-28 | 2024-11-21 |
| CVE-2020-8262 | A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface. | [email protected] | 6.1 | 0.14% | 2020-10-28 | 2024-11-21 |
| CVE-2020-8261 | A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection. | [email protected] | 4.3 | 0.61% | 2020-10-28 | 2024-11-21 |
| CVE-2020-8255 | A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary file reading vulnerability is fixed using encrypted URL blacklisting that prevents these messages. | [email protected] | 4.9 | 13.49% | 2020-10-28 | 2024-11-21 |
| CVE-2020-8254 | A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to connect to a malicious server. This vulnerability only affects Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):Disable Dynamic certificate trust for PDC. | [email protected] | 8.8 | 2.44% | 2020-10-28 | 2024-11-21 |
| CVE-2020-8250 | A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege. | [email protected] | 7.8 | 0.35% | 2020-10-28 | 2024-11-21 |
| CVE-2020-8249 | A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to perform buffer overflow. | [email protected] | 7.8 | 0.65% | 2020-10-28 | 2024-11-21 |