CVE-2021-22899 : A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4

A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature

Published 2021-05-27 12:15:08

Updated 2025-02-12 19:59:56

Source HackerOne

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2021-22899

Ivanti » Connect Secure » Version: 9.1 Update R1
cpe:2.3:a:ivanti:connect_secure:9.1:r1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R11.3
cpe:2.3:a:ivanti:connect_secure:9.1:r11.3:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R2
cpe:2.3:a:ivanti:connect_secure:9.1:r2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R3
cpe:2.3:a:ivanti:connect_secure:9.1:r3:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R4
cpe:2.3:a:ivanti:connect_secure:9.1:r4:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R4.1
cpe:2.3:a:ivanti:connect_secure:9.1:r4.1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R4.2
cpe:2.3:a:ivanti:connect_secure:9.1:r4.2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R4.3
cpe:2.3:a:ivanti:connect_secure:9.1:r4.3:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R5
cpe:2.3:a:ivanti:connect_secure:9.1:r5:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R6
cpe:2.3:a:ivanti:connect_secure:9.1:r6:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R7
cpe:2.3:a:ivanti:connect_secure:9.1:r7:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R8
cpe:2.3:a:ivanti:connect_secure:9.1:r8:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R8.1
cpe:2.3:a:ivanti:connect_secure:9.1:r8.1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R8.2
cpe:2.3:a:ivanti:connect_secure:9.1:r8.2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R9
cpe:2.3:a:ivanti:connect_secure:9.1:r9:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R9.1
cpe:2.3:a:ivanti:connect_secure:9.1:r9.1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R1
cpe:2.3:a:ivanti:connect_secure:9.0:r1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R2
cpe:2.3:a:ivanti:connect_secure:9.0:r2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R2.1
cpe:2.3:a:ivanti:connect_secure:9.0:r2.1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R3
cpe:2.3:a:ivanti:connect_secure:9.0:r3:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R3.1
cpe:2.3:a:ivanti:connect_secure:9.0:r3.1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R3.2
cpe:2.3:a:ivanti:connect_secure:9.0:r3.2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R3.3
cpe:2.3:a:ivanti:connect_secure:9.0:r3.3:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0
cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R3.5
cpe:2.3:a:ivanti:connect_secure:9.0:r3.5:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R4
cpe:2.3:a:ivanti:connect_secure:9.0:r4:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R4.1
cpe:2.3:a:ivanti:connect_secure:9.0:r4.1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R5.0
cpe:2.3:a:ivanti:connect_secure:9.0:r5.0:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R6.0
cpe:2.3:a:ivanti:connect_secure:9.0:r6.0:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1
cpe:2.3:a:ivanti:connect_secure:9.1:-:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R10.0
cpe:2.3:a:ivanti:connect_secure:9.1:r10.0:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R10.2
cpe:2.3:a:ivanti:connect_secure:9.1:r10.2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R11.0
cpe:2.3:a:ivanti:connect_secure:9.1:r11.0:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R11.1
cpe:2.3:a:ivanti:connect_secure:9.1:r11.1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R8.4
cpe:2.3:a:ivanti:connect_secure:9.1:r8.4:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.1 Update R9.2
cpe:2.3:a:ivanti:connect_secure:9.1:r9.2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R1.0
cpe:2.3:a:ivanti:connect_secure:9.0:r1.0:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R2.0
cpe:2.3:a:ivanti:connect_secure:9.0:r2.0:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R3.0
cpe:2.3:a:ivanti:connect_secure:9.0:r3.0:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update R4.0
cpe:2.3:a:ivanti:connect_secure:9.0:r4.0:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 9.0 Update RX
cpe:2.3:a:ivanti:connect_secure:9.0:rx:*:*:*:*:*:*
Matching versions

CVE-2021-22899 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Ivanti Pulse Connect Secure Command Injection Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Ivanti Pulse Connect Secure contains a command injection vulnerability that allows remote authenticated users to perform remote code execution via Windows File Resource Profiles.

Notes:

Reference CISA's ED 21-03 (https://www.cisa.gov/news-events/directives/ed-21-03-mitigate-pulse-connect-secure-product-vulnerabilities) for further guidance and requirements. Note: The due date for addressing this vulnerability aligns with the requirements outlined in ED 21-03. https://nvd.nist.gov/v

Added on 2021-11-03 Action due date 2021-04-23

Exploit prediction scoring system (EPSS) score for CVE-2021-22899

EPSS FAQ

44.95%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 97 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-22899

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-07
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-22899

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)

References for CVE-2021-22899

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY

Pulse Security Advisory: SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4
Broken Link;Vendor Advisory

CVEs referencing this url