First published: Mon Apr 06 2020(Updated: )
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, accepts an arbitrary SSL certificate.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Pulsesecure Pulse Connect Secure | <=2020-04-06 | |
Pulsesecure Pulse Policy Secure | <=2020-04-06 | |
Apple macOS | ||
Linux Linux kernel | ||
Oracle Solaris |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11580 is a vulnerability in Pulse Secure Pulse Connect Secure (PCS) and Pulse Policy Secure that allows an attacker to impersonate any SSL certificate.
CVE-2020-11580 has a severity rating of 9.1 (critical).
Pulse Secure Pulse Connect Secure (PCS) and Pulse Policy Secure versions up to and including 2020-04-06 are affected.
To fix CVE-2020-11580, update to a version of Pulse Secure Pulse Connect Secure (PCS) or Pulse Policy Secure that is later than 2020-04-06.
You can find more information about CVE-2020-11580 on the GitLab page (https://git.lsd.cat/g/pulse-host-checker-rce) and the Pulse Secure Knowledge Base (https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426).