Pulse 8月CVE高分威胁-CVE-2019-11510
Pulse CVE-2019-11510安全漏洞,可以造成未经授权的外部访问者通过特定的URI访问到内部资源。CVE评分十分,属高危漏洞。受影响产品为Pulse的PPS、PCS系列,受影响版本目前已发布版本(8.1、8.2、8.3、9.0)均受影响。官方建议尽快升级版本修补漏洞。
解决方案:
根据下表对应版本,选择相应的版本或之后的版本进行更新,如需要下载相应版本请到本站相应服务与支持的相关下载中获取,如果未列出相关版本,请联系我们获取。
| 如果PPS/PCS当前版本是下列 | 升级到相应的版本如下 |
| Pulse Connect Secure 9.0RX | Pulse Connect Secure 9.0R3.4 & 9.0R4 |
| Pulse Connect Secure 8.3RX | Pulse Connect Secure 8.3R7.1 |
| Pulse Connect Secure 8.2RX | Pulse Connect Secure 8.2R12.1 |
| Pulse Connect Secure 8.1RX | Pulse Connect Secure 8.1R15.1 |
| Pulse Policy Secure 9.0RX | Pulse Policy Secure 9.0R3.2 & 9.0R4 |
| Pulse Policy Secure 5.4RX | Pulse Policy Secure 5.4R7.1 |
| Pulse Policy Secure 5.3RX | Pulse Policy Secure 5.3R12.1 |
| Pulse Policy Secure 5.2RX | Pulse Policy Secure 5.2R12.1 |
| Pulse Policy Secure 5.1RX | Pulse Policy Secure 5.1R15.1 |
官方2019年截止8月发现的安全漏洞如下表:
| CVE | CVSS Score (V3) | Summary | Product Affected |
| CVE-2019-11510 | 10 Critical CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | Unauthenticated attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability. | Pulse Connect Secure:
|
| CVE-2019-11508 | 9.9 Critical CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | A vulnerability in the Network File Share (NFS) of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system. | Pulse Connect Secure:
|
| 9.9 Critical CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | Multiple vulnerabilities are patched for Ghostscript. CVE-2018-16513 CVE-2018-18284 CVE-2018-15911 CVE-2018-15910 CVE-2018-15909 CVE-2018-16513 | Pulse Connect Secure:
| |
| CVE-2019-11540 | 8.3 High CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H | A vulnerability in the Pulse Secure could allow an unauthenticated, remote attacker to conduct a session hijacking attack. | Pulse Connect Secure:
|
| CVE-2019-11543 | 8.3 HIGH CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H | A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1. | Pulse Connect Secure
|
| CVE-2019-11541 | 8.3 High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L | Users using SAML authentication with Reuse Existing NC (Pulse) Session option may see authentication leaks. | Pulse Connect Secure:
|
| CVE-2019-11542 | 8.0 High CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow. | Pulse Connect Secure:
|
| CVE-2019-11539 | 8.0 High CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | Authenticated attacker via the admin web interface allow attacker to inject and execute command injection | Pulse Connect Secure:
|
| CVE-2019-11538 | 7.7 High CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N | A vulnerability in the Network File Share (NFS) of Pulse Connect Secure could allow an authenticated end-user attacker to access the contents of arbitrary files on the local file system. | Pulse Connect Secure:
|
| CVE-2019-11509 | 6.4 Medium CVSS v3 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H | Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance. | Pulse Connect Secure:
|
| CVE-2019-11507 | 5.8 Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L | A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1, and 9.0.x before 9.0R3. | Pulse Connect Secure:
|
本文内容来自Pulse官方SA,点击访问。