First published: Fri Apr 26 2019(Updated: )
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Pulsesecure Pulse Connect Secure | =8.3 | |
Pulsesecure Pulse Connect Secure | =8.3rx | |
Pulsesecure Pulse Connect Secure | =9.0r1 | |
Pulsesecure Pulse Connect Secure | =9.0r2 | |
Pulsesecure Pulse Connect Secure | =9.0r2.1 | |
Pulsesecure Pulse Connect Secure | =9.0r3 | |
Pulsesecure Pulse Connect Secure | =9.0r3.1 | |
Pulsesecure Pulse Connect Secure | =9.0r3.2 | |
Pulsesecure Pulse Connect Secure | =9.0rx | |
Pulsesecure Pulse Policy Secure | =5.4r1 | |
Pulsesecure Pulse Policy Secure | =5.4r2 | |
Pulsesecure Pulse Policy Secure | =5.4r2.1 | |
Pulsesecure Pulse Policy Secure | =5.4r3 | |
Pulsesecure Pulse Policy Secure | =5.4r4 | |
Pulsesecure Pulse Policy Secure | =5.4r5 | |
Pulsesecure Pulse Policy Secure | =5.4r5.2 | |
Pulsesecure Pulse Policy Secure | =5.4r6 | |
Pulsesecure Pulse Policy Secure | =5.4r6.1 | |
Pulsesecure Pulse Policy Secure | =5.4r7 | |
Pulsesecure Pulse Policy Secure | =5.4rx | |
Pulsesecure Pulse Policy Secure | =9.0r1 | |
Pulsesecure Pulse Policy Secure | =9.0r2 | |
Pulsesecure Pulse Policy Secure | =9.0r2.1 | |
Pulsesecure Pulse Policy Secure | =9.0r3 | |
Pulsesecure Pulse Policy Secure | =9.0r3.1 | |
Pulsesecure Pulse Policy Secure | =9.0rx | |
Ivanti Connect Secure | =8.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-11540 is a vulnerability in Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1.
CVE-2019-11540 has a severity level of 9.8 (critical).
The affected software versions of CVE-2019-11540 include Pulse Connect Secure 8.3, Pulse Connect Secure 8.3RX, Pulse Connect Secure 9.0r1, Pulse Connect Secure 9.0r2, Pulse Connect Secure 9.0r2.1, Pulse Connect Secure 9.0r3, Pulse Connect Secure 9.0r3.1, Pulse Connect Secure 9.0r3.2, Pulse Connect Secure 9.0rx, Pulse Policy Secure 5.4r1, Pulse Policy Secure 5.4r2, Pulse Policy Secure 5.4r2.1, Pulse Policy Secure 5.4r3, Pulse Policy Secure 5.4r4, Pulse Policy Secure 5.4r5, Pulse Policy Secure 5.4r5.2, Pulse Policy Secure 5.4r6, Pulse Policy Secure 5.4r6.1, Pulse Policy Secure 5.4r7, Pulse Policy Secure 5.4rx, Pulse Policy Secure 9.0r1, Pulse Policy Secure 9.0r2, Pulse Policy Secure 9.0r2.1, Pulse Policy Secure 9.0r3, Pulse Policy Secure 9.0r3.1, Pulse Policy Secure 9.0rx.
An unauthenticated, remote attacker can conduct a session hijacking attack using CVE-2019-11540.
You can find more information about CVE-2019-11540 at the following references: [1] http://www.securityfocus.com/bid/108073 [2] https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/ [3] https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf