7

CVE-2020-13162

Exploit

A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PulsesecurePulse Secure Desktop Client Version5.3 Updater1.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version5.3 Updater1.1 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version5.3 Updater2.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version5.3 Updater3.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version5.3 Updater4.1 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version5.3 Updater4.2 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version5.3 Updater5.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version5.3 Updater5.2 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version5.3 Updater6.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version5.3 Updater7.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.0 Updater1.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.0 Updater2 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.0 Updater2.1 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.0 Updater3 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.0 Updater3.2 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.0 Updater4 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.0 Updater4.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.0 Updater5.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.0 Updater6.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater1.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater2.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater3.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater3.1 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater4.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater4.1 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater4.2 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater5.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater6.0 SwPlatformwindows
PulsesecurePulse Secure Desktop Client Version9.1 Updater7.0 SwPlatformwindows
PulsesecurePulse Secure Installer Service Version8.3 SwPlatformwindows
PulsesecurePulse Secure Installer Service Version9.1 SwPlatformwindows
PulsesecurePulse Secure Installer Service Version9.1 Updater5.0 SwPlatformwindows
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.35% 0.542
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.9 3.4 10
AV:L/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

http://seclists.org/fulldisclosure/2020/Jun/25
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2020/Sep/15
Third Party Advisory
Mailing List