First published: Wed Oct 28 2020(Updated: )
A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Pulsesecure Pulse Secure Desktop Client | <9.1 | |
Pulsesecure Pulse Secure Desktop Client | =9.1 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r1 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r2 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r3 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r3.1 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r4 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r4.1 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r4.2 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r5 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r6 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r7 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r7.1 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r8 | |
Pulsesecure Pulse Secure Desktop Client | =9.1-r8.2 | |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-8260 is a code execution vulnerability in the Ivanti Pulse Connect Secure admin web interface.
The vulnerability affects Ivanti Pulse Connect Secure versions < 9.1R9 and Pulse Secure Desktop Client 9.1 on Linux.
CVE-2020-8260 has a severity score of 7.2, which is considered high.
An authenticated attacker can exploit CVE-2020-8260 to perform arbitrary code execution using uncontrolled gzip extraction.
To fix CVE-2020-8260, update Ivanti Pulse Connect Secure to version 9.1R9 or later, and update Pulse Secure Desktop Client to a non-vulnerable version.