CVE-2020-8218

CVSS 7.2 HIGHEPSS 32.7%● KEVCWE-94

In short

Pulse Connect Secure versions before 9.1R8 contain a code injection flaw in the admin interface that lets attackers execute arbitrary code by crafting a malicious URL.

Technical detail

A code injection vulnerability (CWE-94) in the admin web interface of Pulse Connect Secure <9.1R8 allows unauthenticated or low-privileged attackers to execute arbitrary code by sending a crafted URI. The vulnerability requires network access to the admin interface and results in complete system compromise.

Summary generated and translated by AI from the official description.

A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · Pulse Connect Secure

public PoCs found — 1

githubgithub.com/withdk/pulse-gosecure-rce-poc★ 22

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8218 https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/