In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an authenticated attacker (via the admin web interface) can exploit Directory Traversal to execute arbitrary code on the appliance.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
| Link | Tags |
|---|---|
| https://kb.pulsesecure.net/?atype=sa | third party advisory vendor advisory |
| https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ | patch vendor advisory |
| http://www.securityfocus.com/bid/108073 | vdb entry third party advisory broken link |
| https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010 | third party advisory |
| https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf | third party advisory exploit |
| https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/ | third party advisory exploit |
| https://www.kb.cert.org/vuls/id/927237 | third party advisory us government resource |