First published: Mon Aug 16 2021(Updated: )
A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Pulsesecure Pulse Connect Secure | <9.1 | |
Pulsesecure Pulse Connect Secure | =9.1 | |
Pulsesecure Pulse Connect Secure | =9.1-r1.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r10.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r11.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r2.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r3.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r4.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r5.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r6.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r7.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r8.0 | |
Pulsesecure Pulse Connect Secure | =9.1-r9.0 | |
Ivanti Connect Secure | =9.1 | |
Ivanti Connect Secure | =9.1-r1.0 | |
Ivanti Connect Secure | =9.1-r10.0 | |
Ivanti Connect Secure | =9.1-r11.0 | |
Ivanti Connect Secure | =9.1-r2.0 | |
Ivanti Connect Secure | =9.1-r3.0 | |
Ivanti Connect Secure | =9.1-r4.0 | |
Ivanti Connect Secure | =9.1-r5.0 | |
Ivanti Connect Secure | =9.1-r6.0 | |
Ivanti Connect Secure | =9.1-r7.0 | |
Ivanti Connect Secure | =9.1-r8.0 | |
Ivanti Connect Secure | =9.1-r9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-22938.
The severity of CVE-2021-22938 is high with a severity value of 7.2.
Pulse Connect Secure versions before 9.1R12 are affected by this vulnerability.
An authenticated administrator can exploit CVE-2021-22938 by performing command injection via an unsanitized web parameter in the administrator web console.
Yes, the fix is available in Pulse Connect Secure 9.1R12. It is recommended to update to this version to mitigate the vulnerability.