Vulnerability Details : CVE-2019-11213
In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure Desktop 5.3R7 and Pulse Desktop Client 9.x before Secure Desktop 9.0R3. It also affects (for Network Connect customers) Pulse Connect Secure 8.1 before 8.1R14, 8.3 before 8.3R7, and 9.0 before 9.0R3.
Vulnerability category: Bypass
Products affected by CVE-2019-11213
- Pulsesecure » Pulse Connect SecureVersions from including (>=) 8.1r1.0 and up to, including, (<=) 8.1r14.0cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:*:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_secure_desktop_client:*:*:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11213
0.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11213
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2019-11213
-
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11213
-
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114
Pulse Security Advisory: SA44114 - 2019-04: Out-of-Cycle Advisory: Pulse Desktop Client and Network Connect improper handling of session cookies (CVE-2019-11213)Vendor Advisory
-
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114/
Pulse Security Advisory: SA44114 - 2019-04: Out-of-Cycle Advisory: Pulse Desktop Client and Network Connect improper handling of session cookies (CVE-2019-11213)Vendor Advisory
-
https://www.kb.cert.org/vuls/id/192371
VU#192371 - VPN applications insecurely store session cookiesUS Government Resource;Third Party Advisory
Jump to