7.2

CVE-2021-22900

Warning

A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Data is provided by the National Vulnerability Database (NVD)
IvantiConnect Secure Version9.0 Update-
IvantiConnect Secure Version9.0 Updater1
IvantiConnect Secure Version9.0 Updater1.0
IvantiConnect Secure Version9.0 Updater2
IvantiConnect Secure Version9.0 Updater2.0
IvantiConnect Secure Version9.0 Updater2.1
IvantiConnect Secure Version9.0 Updater3
IvantiConnect Secure Version9.0 Updater3.0
IvantiConnect Secure Version9.0 Updater3.1
IvantiConnect Secure Version9.0 Updater3.2
IvantiConnect Secure Version9.0 Updater3.3
IvantiConnect Secure Version9.0 Updater3.5
IvantiConnect Secure Version9.0 Updater4
IvantiConnect Secure Version9.0 Updater4.0
IvantiConnect Secure Version9.0 Updater4.1
IvantiConnect Secure Version9.0 Updater5.0
IvantiConnect Secure Version9.0 Updater6.0
IvantiConnect Secure Version9.1 Update-
IvantiConnect Secure Version9.1 Updater1
IvantiConnect Secure Version9.1 Updater10.0
IvantiConnect Secure Version9.1 Updater10.2
IvantiConnect Secure Version9.1 Updater11.0
IvantiConnect Secure Version9.1 Updater11.1
IvantiConnect Secure Version9.1 Updater11.3
IvantiConnect Secure Version9.1 Updater2
IvantiConnect Secure Version9.1 Updater3
IvantiConnect Secure Version9.1 Updater4
IvantiConnect Secure Version9.1 Updater4.1
IvantiConnect Secure Version9.1 Updater4.2
IvantiConnect Secure Version9.1 Updater4.3
IvantiConnect Secure Version9.1 Updater5
IvantiConnect Secure Version9.1 Updater6
IvantiConnect Secure Version9.1 Updater7
IvantiConnect Secure Version9.1 Updater8
IvantiConnect Secure Version9.1 Updater8.1
IvantiConnect Secure Version9.1 Updater8.2
IvantiConnect Secure Version9.1 Updater8.4
IvantiConnect Secure Version9.1 Updater9
IvantiConnect Secure Version9.1 Updater9.1
IvantiConnect Secure Version9.1 Updater9.2
PulsesecurePulse Connect Secure Version <= 9.1

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability

Vulnerability

Ivanti Pulse Connect Secure contains an unrestricted file upload vulnerability that allows an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.67% 0.815
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-669 Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.