CVE-2020-8254
28.10.2020, 13:15
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to connect to a malicious server. This vulnerability only affects Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):Disable Dynamic certificate trust for PDC.
| Vendor | Product | Version |
|---|---|---|
| pulsesecure | pulse_secure_desktop_client | 𝑥 < 9.1 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r1 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r2 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r3 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r3.1 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r4 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r4.1 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r4.2 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r5 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r6 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r7 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r7.1 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r8 |
| pulsesecure | pulse_secure_desktop_client | 9.1:r8.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-23 - Relative Path TraversalThe software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.