8.8

CVE-2021-22899

Warnung

A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IvantiConnect Secure Version9.0 Update-
IvantiConnect Secure Version9.0 Updater1
IvantiConnect Secure Version9.0 Updater1.0
IvantiConnect Secure Version9.0 Updater2
IvantiConnect Secure Version9.0 Updater2.0
IvantiConnect Secure Version9.0 Updater2.1
IvantiConnect Secure Version9.0 Updater3
IvantiConnect Secure Version9.0 Updater3.0
IvantiConnect Secure Version9.0 Updater3.1
IvantiConnect Secure Version9.0 Updater3.2
IvantiConnect Secure Version9.0 Updater3.3
IvantiConnect Secure Version9.0 Updater3.5
IvantiConnect Secure Version9.0 Updater4
IvantiConnect Secure Version9.0 Updater4.0
IvantiConnect Secure Version9.0 Updater4.1
IvantiConnect Secure Version9.0 Updater5.0
IvantiConnect Secure Version9.0 Updater6.0
IvantiConnect Secure Version9.0 Updaterx
IvantiConnect Secure Version9.1 Update-
IvantiConnect Secure Version9.1 Updater1
IvantiConnect Secure Version9.1 Updater10.0
IvantiConnect Secure Version9.1 Updater10.2
IvantiConnect Secure Version9.1 Updater11.0
IvantiConnect Secure Version9.1 Updater11.1
IvantiConnect Secure Version9.1 Updater11.3
IvantiConnect Secure Version9.1 Updater2
IvantiConnect Secure Version9.1 Updater3
IvantiConnect Secure Version9.1 Updater4
IvantiConnect Secure Version9.1 Updater4.1
IvantiConnect Secure Version9.1 Updater4.2
IvantiConnect Secure Version9.1 Updater4.3
IvantiConnect Secure Version9.1 Updater5
IvantiConnect Secure Version9.1 Updater6
IvantiConnect Secure Version9.1 Updater7
IvantiConnect Secure Version9.1 Updater8
IvantiConnect Secure Version9.1 Updater8.1
IvantiConnect Secure Version9.1 Updater8.2
IvantiConnect Secure Version9.1 Updater8.4
IvantiConnect Secure Version9.1 Updater9
IvantiConnect Secure Version9.1 Updater9.1
IvantiConnect Secure Version9.1 Updater9.2

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Ivanti Pulse Connect Secure Command Injection Vulnerability

Schwachstelle

Ivanti Pulse Connect Secure contains a command injection vulnerability that allows remote authenticated users to perform remote code execution via Windows File Resource Profiles.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 44.95% 0.975
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.