CVE-2021-22900
27.05.2021, 12:15
A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.
| Vendor | Product | Version |
|---|---|---|
| ivanti | connect_secure | 9.0 |
| ivanti | connect_secure | 9.0:r1 |
| ivanti | connect_secure | 9.0:r1.0 |
| ivanti | connect_secure | 9.0:r2 |
| ivanti | connect_secure | 9.0:r2.0 |
| ivanti | connect_secure | 9.0:r2.1 |
| ivanti | connect_secure | 9.0:r3 |
| ivanti | connect_secure | 9.0:r3.0 |
| ivanti | connect_secure | 9.0:r3.1 |
| ivanti | connect_secure | 9.0:r3.2 |
| ivanti | connect_secure | 9.0:r3.3 |
| ivanti | connect_secure | 9.0:r3.5 |
| ivanti | connect_secure | 9.0:r4 |
| ivanti | connect_secure | 9.0:r4.0 |
| ivanti | connect_secure | 9.0:r4.1 |
| ivanti | connect_secure | 9.0:r5.0 |
| ivanti | connect_secure | 9.0:r6.0 |
| ivanti | connect_secure | 9.1 |
| ivanti | connect_secure | 9.1:r1 |
| ivanti | connect_secure | 9.1:r10.0 |
| ivanti | connect_secure | 9.1:r10.2 |
| ivanti | connect_secure | 9.1:r11.0 |
| ivanti | connect_secure | 9.1:r11.1 |
| ivanti | connect_secure | 9.1:r11.3 |
| ivanti | connect_secure | 9.1:r2 |
| ivanti | connect_secure | 9.1:r3 |
| ivanti | connect_secure | 9.1:r4 |
| ivanti | connect_secure | 9.1:r4.1 |
| ivanti | connect_secure | 9.1:r4.2 |
| ivanti | connect_secure | 9.1:r4.3 |
| ivanti | connect_secure | 9.1:r5 |
| ivanti | connect_secure | 9.1:r6 |
| ivanti | connect_secure | 9.1:r7 |
| ivanti | connect_secure | 9.1:r8 |
| ivanti | connect_secure | 9.1:r8.1 |
| ivanti | connect_secure | 9.1:r8.2 |
| ivanti | connect_secure | 9.1:r8.4 |
| ivanti | connect_secure | 9.1:r9 |
| ivanti | connect_secure | 9.1:r9.1 |
| ivanti | connect_secure | 9.1:r9.2 |
| pulsesecure | pulse_connect_secure | 𝑥 ≤ 9.1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- CWE-669 - Incorrect Resource Transfer Between SpheresThe product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.