{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:50", "description": "A remote code execution vulnerability exists in Pulse Connect Secure. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-21T00:00:00", "type": "checkpoint_advisories", "title": "Pulse Connect Secure Remote Code Execution (CVE-2020-8218)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8218"], "modified": "2020-09-21T00:00:00", "id": "CPAI-2020-0841", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-07T00:00:00", "type": "cisa_kev", "title": "Pulse Connect Secure Code Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8218"], "modified": "2022-03-07T00:00:00", "id": "CISA-KEV-CVE-2020-8218", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-08-01T19:02:02", "description": "A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-30T13:15:00", "type": "cve", "title": "CVE-2020-8218", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8218"], "modified": "2022-08-01T15:15:00", "cpe": ["cpe:/a:pulsesecure:pulse_policy_secure:9.0", "cpe:/a:pulsesecure:pulse_connect_secure:9.1", "cpe:/a:pulsesecure:pulse_policy_secure:9.1", "cpe:/a:pulsesecure:pulse_connect_secure:9.0"], "id": "CVE-2020-8218", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8218", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r5:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r6:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r7:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r5:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r4.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r7:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r6:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.1:r3.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_policy_secure:9.0:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2022-08-01T16:31:17", "description": "A code injection vulnerability exists in Pulse Connect Secure `<9.1R8` that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.\n\n \n**Recent assessments:** \n \n**wvu-r7** at August 27, 2020 3:29pm UTC reported:\n\nResearchers wrote this one up at <https://www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/>.\n\nIn [CVE-2020-15408](<https://attackerkb.com/assessments/92c1e499-db15-4a8b-9317-914a18bdebc2>), I was musing about SSRF-to-RCE potential as a normal user, but this just skips right to CSRF\u2019ing an admin to get RCE.\n\nNote that both these vulns involve interacting with an authenticated user. The \u201cthreat model\u201d is different from that of previous Pulse Secure RCEs. Patch this but also invest in security training for your users!\n\nETA: This is otherwise post-auth RCE, so if you have admin creds, you can execute commands all the same. It\u2019s not uncommon to find creds like these in a corporate wiki or share somewhere.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-30T00:00:00", "type": "attackerkb", "title": "CVE-2020-8218", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15408", "CVE-2020-8218"], "modified": "2020-09-01T00:00:00", "id": "AKB:98DD7DE4-C5FF-408B-A893-81B6C25A43C2", "href": "https://attackerkb.com/topics/4l7JFLZm1U/cve-2020-8218", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-03-08T11:29:18", "description": "CISA has added 11 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. **Note: **to view the newly added vulnerabilities in the catalog, click on the arrow on the of the \"Date Added to Catalog\" column, which will sort by descending dates.\n\n**CVE ID ** | **Vulnerability Name ** | **Due Date ** \n---|---|--- \nCVE-2022-26486 | Mozilla Firefox Use-After-Free Vulnerability | 3/21/2022 \nCVE-2022-26485 | Mozilla Firefox Use-After-Free Vulnerability | 3/21/2022 \nCVE-2021-21973 | VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability | 3/21/2022 \nCVE-2020-8218 | Pulse Connect Secure Code Injection Vulnerability | 9/7/2022 \nCVE-2019-11581 | Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability | 9/7/2022 \nCVE-2017-6077 | NETGEAR DGN2200 Remote Code Execution Vulnerability | 9/7/2022 \nCVE-2016-6277 | NETGEAR Multiple Routers Remote Code Execution Vulnerability | 9/7/2022 \nCVE-2013-0631 | Adobe ColdFusion Information Disclosure Vulnerability | 9/7/2022 \nCVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | 9/7/2022 \nCVE-2013-0625 | Adobe ColdFusion Authentication Bypass Vulnerability | 9/7/2022 \nCVE-2009-3960 | Adobe BlazeDS Information Disclosure Vulnerability | 9/7/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://cyber.dhs.gov/bod/22-01/>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information. \n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/03/07/cisa-adds-11-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-03-07T00:00:00", "type": "cisa", "title": "CISA Adds 11 Known Exploited Vulnerabilities to Catalog\u202f", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3960", "CVE-2013-0625", "CVE-2013-0629", "CVE-2013-0631", "CVE-2016-6277", "CVE-2017-6077", "CVE-2019-11581", "CVE-2020-8218", "CVE-2021-21973", "CVE-2022-26485", "CVE-2022-26486"], "modified": "2022-03-07T00:00:00", "id": "CISA:128CACDAC4A49084B5132404C3E20B9D", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/03/07/cisa-adds-11-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-06-16T15:38:44", "description": "According to its self-reported version, the version of Pulse Policy Secure running on the remote host is prior to 9.1R8. It is, therefore, affected by multiple vulnerabilities:\n\n- An attacker can bypass the Google TOTP, if the primary credentials are exposed to attacker (CVE-2020-8206).\n\n- An authenticated attacker via the admin web interface can crafted URI to perform an arbitrary code execution (CVE-2020-8218).\n\n- An authenticated attacker via the administrator web interface can read arbitrary files (CVE-2020-8221). \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-31T00:00:00", "type": "nessus", "title": "Pulse Policy Secure < 9.1R8 (SA44516)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12880", "CVE-2020-15408", "CVE-2020-8204", "CVE-2020-8206", "CVE-2020-8216", "CVE-2020-8217", "CVE-2020-8218", "CVE-2020-8219", "CVE-2020-8220", "CVE-2020-8221", "CVE-2020-8222"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_policy_secure"], "id": "PULSE_POLICY_SECURE-SA-44516.NASL", "href": "https://www.tenable.com/plugins/nessus/139226", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (c) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139226);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2020-8204\",\n \"CVE-2020-8206\",\n \"CVE-2020-8216\",\n \"CVE-2020-8217\",\n \"CVE-2020-8218\",\n \"CVE-2020-8219\",\n \"CVE-2020-8220\",\n \"CVE-2020-8221\",\n \"CVE-2020-8222\",\n \"CVE-2020-12880\",\n \"CVE-2020-15408\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0347-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/07\");\n\n script_name(english:\"Pulse Policy Secure < 9.1R8 (SA44516)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Policy Secure running on the remote host is prior \nto 9.1R8. It is, therefore, affected by multiple vulnerabilities:\n\n- An attacker can bypass the Google TOTP, if the primary credentials are exposed to attacker (CVE-2020-8206).\n\n- An authenticated attacker via the admin web interface can crafted URI to perform an arbitrary code execution \n(CVE-2020-8218).\n\n- An authenticated attacker via the administrator web interface can read arbitrary files (CVE-2020-8221). \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f4f18332\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pulse Policy Secure version 9.1R8 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8206\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_policy_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_policy_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Policy Secure\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Pulse Policy Secure', port:443);\n\nconstraints = [\n {'fixed_version':'9.1R8'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T15:37:48", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to 9.1R8. It is, therefore, affected by multiple vulnerabilities:\n\n- An attacker can bypass the Google TOTP, if the primary credentials are exposed to attacker (CVE-2020-8206).\n\n- An authenticated attacker via the admin web interface can crafted URI to perform an arbitrary code execution (CVE-2020-8218).\n\n- An authenticated attacker via the administrator web interface can read arbitrary files (CVE-2020-8221). \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-31T00:00:00", "type": "nessus", "title": "Pulse Connect Secure < 9.1R8 (SA44516)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12880", "CVE-2020-15408", "CVE-2020-8204", "CVE-2020-8206", "CVE-2020-8216", "CVE-2020-8217", "CVE-2020-8218", "CVE-2020-8219", "CVE-2020-8220", "CVE-2020-8221", "CVE-2020-8222"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-SA-44516.NASL", "href": "https://www.tenable.com/plugins/nessus/139225", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139225);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2020-8204\",\n \"CVE-2020-8206\",\n \"CVE-2020-8216\",\n \"CVE-2020-8217\",\n \"CVE-2020-8218\",\n \"CVE-2020-8219\",\n \"CVE-2020-8220\",\n \"CVE-2020-8221\",\n \"CVE-2020-8222\",\n \"CVE-2020-12880\",\n \"CVE-2020-15408\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0347-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/07\");\n\n script_name(english:\"Pulse Connect Secure < 9.1R8 (SA44516)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior \nto 9.1R8. It is, therefore, affected by multiple vulnerabilities:\n\n- An attacker can bypass the Google TOTP, if the primary credentials are exposed to attacker (CVE-2020-8206).\n\n- An authenticated attacker via the admin web interface can crafted URI to perform an arbitrary code execution \n(CVE-2020-8218).\n\n- An authenticated attacker via the administrator web interface can read arbitrary files (CVE-2020-8221). \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f4f18332\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pulse Connect Secure version 9.1R8 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8206\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, embedded:TRUE);\napp_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);\n\n# full ver from https://www-prev.pulsesecure.net/download/techpubs/current/2104/pulse-connect-secure/pcs/9.1rx/9.1r8/ps-pcs-sa-9.1r8.0-releasenotes.pdf\nconstraints = [\n {'fixed_version':'9.1.8.7453', 'fixed_display':'9.1R8'}\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
Exploit for Code Injection in Pulsesecure Pulse Connect Secure
