Vulnerability
In Pulse Connect Secure(PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated attacker with network access via HTTPS can send a specially crafted URL to perform an arbitrary file reading vulnerability.
Impact
This arbitrary file read vulnerability can lead to the leakage of sensitive information, allowing unauthorized remote attackers to read the private key and user password; furthermore, it can even trigger a remote command injection attack(CVE-2019-11539).
Mitigation / Precaution
Our recommendation is to upgrade the Pulse Connect Secure to the latest version as soon as possible to patch the vulnerabilities.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
