7.2

CVE-2021-22900

Warnung

A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IvantiConnect Secure Version9.0 Update-
IvantiConnect Secure Version9.0 Updater1
IvantiConnect Secure Version9.0 Updater1.0
IvantiConnect Secure Version9.0 Updater2
IvantiConnect Secure Version9.0 Updater2.0
IvantiConnect Secure Version9.0 Updater2.1
IvantiConnect Secure Version9.0 Updater3
IvantiConnect Secure Version9.0 Updater3.0
IvantiConnect Secure Version9.0 Updater3.1
IvantiConnect Secure Version9.0 Updater3.2
IvantiConnect Secure Version9.0 Updater3.3
IvantiConnect Secure Version9.0 Updater3.5
IvantiConnect Secure Version9.0 Updater4
IvantiConnect Secure Version9.0 Updater4.0
IvantiConnect Secure Version9.0 Updater4.1
IvantiConnect Secure Version9.0 Updater5.0
IvantiConnect Secure Version9.0 Updater6.0
IvantiConnect Secure Version9.1 Update-
IvantiConnect Secure Version9.1 Updater1
IvantiConnect Secure Version9.1 Updater10.0
IvantiConnect Secure Version9.1 Updater10.2
IvantiConnect Secure Version9.1 Updater11.0
IvantiConnect Secure Version9.1 Updater11.1
IvantiConnect Secure Version9.1 Updater11.3
IvantiConnect Secure Version9.1 Updater2
IvantiConnect Secure Version9.1 Updater3
IvantiConnect Secure Version9.1 Updater4
IvantiConnect Secure Version9.1 Updater4.1
IvantiConnect Secure Version9.1 Updater4.2
IvantiConnect Secure Version9.1 Updater4.3
IvantiConnect Secure Version9.1 Updater5
IvantiConnect Secure Version9.1 Updater6
IvantiConnect Secure Version9.1 Updater7
IvantiConnect Secure Version9.1 Updater8
IvantiConnect Secure Version9.1 Updater8.1
IvantiConnect Secure Version9.1 Updater8.2
IvantiConnect Secure Version9.1 Updater8.4
IvantiConnect Secure Version9.1 Updater9
IvantiConnect Secure Version9.1 Updater9.1
IvantiConnect Secure Version9.1 Updater9.2
PulsesecurePulse Connect Secure Version <= 9.1

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability

Schwachstelle

Ivanti Pulse Connect Secure contains an unrestricted file upload vulnerability that allows an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.67% 0.815
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-669 Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.