First published: Mon Apr 06 2020(Updated: )
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Pulsesecure Pulse Connect Secure | <=2020-04-06 | |
Apple macOS | ||
Linux Linux kernel | ||
Oracle Solaris | ||
Pulsesecure Pulse Policy Secure |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11581 is a vulnerability in Pulse Secure Pulse Connect Secure (PCS) that allows a man-in-the-middle attacker to perform OS command injection attacks against a client.
The severity of CVE-2020-11581 is critical (8.1).
Pulse Secure Pulse Connect Secure (PCS) versions up to and including 2020-04-06 are affected by CVE-2020-11581.
A man-in-the-middle attacker can exploit CVE-2020-11581 by performing OS command injection attacks against a client.
Yes, macOS, Linux, and Solaris clients are vulnerable to CVE-2020-11581 when a Host Checker policy is enforced.