CVE-2020-8260

Warnung

Exploit

EPSS 74.56%
Veröffentlicht 28.10.2020 13:15:13
Zuletzt bearbeitet 30.10.2025 20:40:55
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ivanti ≫ Connect Secure Version <= 9.0

Ivanti ≫ Connect Secure Version9.1 Update-

Ivanti ≫ Connect Secure Version9.1 Updater1.0

Ivanti ≫ Connect Secure Version9.1 Updater2.0

Ivanti ≫ Connect Secure Version9.1 Updater3.0

Ivanti ≫ Connect Secure Version9.1 Updater4.0

Ivanti ≫ Connect Secure Version9.1 Updater4.1

Ivanti ≫ Connect Secure Version9.1 Updater4.2

Ivanti ≫ Connect Secure Version9.1 Updater4.3

Ivanti ≫ Connect Secure Version9.1 Updater5.0

Ivanti ≫ Connect Secure Version9.1 Updater6.0

Ivanti ≫ Connect Secure Version9.1 Updater7.0

Ivanti ≫ Connect Secure Version9.1 Updater8.0

Ivanti ≫ Connect Secure Version9.1 Updater8.1

Ivanti ≫ Connect Secure Version9.1 Updater8.2

Ivanti ≫ Connect Secure Version9.1 Updater8.4

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Ivanti Pulse Connect Secure Code Execution Vulnerability

Schwachstelle

Pulse Connect Secure contains an unspecified vulnerability that allows an authenticated attacker to perform code execution using uncontrolled gzip extraction.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	74.56%	0.988

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

Vendor Advisory

Broken Link

http://packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8260

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2020-8260

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-8260

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-8260

EUVD